Original text at:
https://hackdefense.com/publications/cve-2019-18347-davical-caldav-server-vulnerability/

At HackDefense, we were evaluating various calendaring solutions, and
during installation and configuration of DAViCal we discovered three
(severe) vulnerabilities. We reported these vulnerabilities to the
vendor. Unfortunately, the DAViCal project itself was not able to fix
these vulnerabilities. As DAViCal is an open source project we decided
to contribute patches for these vulnerabilities ourselves. DAViCal has
accepted our patches in the 1.1.9 release. If you use DAViCal as a
calendaring server, we recommend upgrading to version 1.1.9 immediately
to remediate the issues we’ve discovered.

All three vulnerabilities exist in the web-based management pages that
come with DAViCal. We have written three separate advisories to describe
the vulnerabilities:

    CVE-2019-18345 — Reflected Cross-Site Scripting
    CVE-2019-18346 — Cross-Site Request Forgery
    CVE-2019-18347 — (this advisory) Persistent Cross-Site Scripting

CVE Reference: CVE-2019-18347
CVSS score: 9.9
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

About DAViCal
=============

DAViCal is a server for calendar sharing. It is an implementation of the
CalDAV protocol which is designed for storing calendaring resources on a
remote shared server. It can be used by various e‑mail and calendaring
clients to centrally store and share calendars.

It includes a web-based management application. It was in these pages
that we discovered this vulnerability.

Affected systems
================

DAViCal CalDAV Server 1.1.8 and prior

Overview
========

The application does not validate user input like email addresses,
usernames and display names. In addition, the web application does not
encode these user input when echoing them to in the web pages. An attack
with a low privileged account can exploit these issues to execute a
Persistent Cross-site Scripting (XSS) attack.

POC URL: http://davical.host/admin.php?action=edit&t=principal&id=1

Place a XSS payload in the username or fullname field e.g.
<script>alert()</script>

Impact
======

An attacker can use XSS to send a malicious JavaScript to an
unsuspecting user. The end user’s browser has no way to know that the
script should not be trusted, and will execute the script. Because the
browser thinks the script came from a trusted source, the malicious
JavaScript can access session tokens (without the HttpOnly flag) or
other sensitive information retained by the browser and used with that
site in the context of the victim.

If the user is administrator, the attacker can for example change the
password of the user to take over the account and gain full access to
the application.

In this case, because the Javascript is stored in the database and
included in pages others can open, it can be used by one user to attack
other users on the same system.

Combined with a CSRF attack (see CVE-2019 – 18346) it is possible to
attack users from the outside as well, if an authenticated DAViCal user
visits the attacker’s web site.

Solution
========

Update to version 1.1.9.1

Technical solution details
==========================

XSS vulnerabilities are a problem with dynamically generated websites
that use user input. If user input is not correctly sanitized you could
very well end up with a user pushing some javascript to your frontend.

XSS isn’t a vulnerability that’s hard to grasp or circumvent but it’s
awfully easy to make a mistake like that. One thing you’ll hear over and
over again is never to trust user input. Always sanitize it when it
comes in and it’s best to still not trust it then. Characters like <, >
and " should never be rawly echoed to the frontend. The use cases for
echoing user input back to the frontend are endless. From a simple
"Greetings, $username" to editing personal user information with the
form having all the fields already filled in. So when someone has a
quote in their name, you shouldn’t echo the raw quote but &­quot;.

These days web frameworks handle a lot of sanitation for us. Laravel for
example uses simple brackets to echo variables to the user all these
variables are escaped first: {{ $username }}. Twig does something
similar by using a pipe like syntax: {{ $username | escape}}.

These days when developing your application you need to make sure you
sanitize everything you output to the user. But since DAViCal is an
established project it’s not doable to sift through the code to look for
functions that output text to the frontend. Another problem was that
DAViCal dynamically adds GET parameters to echoed urls. This is why I
chose to sanitize both incoming variables and their names. In the
DAViCal always.php I added a function that loops through the $_GET and
$_POST array recursively (as arrays can contain arrays and so forth) and
run the names and variables through htmlspecialchars() except for the
password field which of course should be able to have special characters
in them.

The reason you don’t do it this way in new applications is because now
if for some reason someone has another way of interacting with your
application (by API calls for example) you’d have to sanitize your input
on both sides. Moreover, APIs that pass JSON objects around for example,
don’t need to have script tags encoded as it means nothing to them and
JSON objects are encoded in a different way. In this case however,
DAViCal doesn’t have other entry points which you can use to insert data
in the database. So sanitizing all input once will suffice!

Responsible Disclosure timeline
===============================

04-Jan-2019 Reported to the DAViCal CalDAV Server project (no response)
21-Jan-2019 Reported to the DAViCal CalDAV Server project again
22-Jan-2019 Report acknowledged
28-May-2019 Asked for an update regarding these vulnerabilities
29-May-2019 The DAViCal project responded that they did not have
resources to implement a fix for these vulnerabilities
31-May-2019 Partnered up with Niels van Gijzen to contribute a patch
24-Oct-2019 CVE-2019-18345, CVE-2019-18346 and CVE-2019-18347 were
assigned to these vulnerabilities
25-Oct-2019 Released a patch that fixes these vulnerabilities
29-Nov-2019 DAViCal verified the patch
03-Dec-2019 DAViCal released version 1.1.9.1 including our patch

Useful links
============

DAViCal 1.1.9.1 Release Notes
https://wiki.davical.org/index.php/Release_Notes/1.1.9.1

DAViCal 1.1.9.1 on Gitlab
https://gitlab.com/davical-project/davical

This advisory
https://hackdefense.com/publications/cve-2019-18345-davical-caldav-server-vulnerability/