Original text at:
https://hackdefense.com/publications/cve-2019-18345-davical-caldav-server-vulnerability/

At HackDefense, we were evaluating various calendaring solutions, and
during installation and configuration of DAViCal we discovered three
(severe) vulnerabilities. We reported these vulnerabilities to the
vendor. Unfortunately, the DAViCal project itself was not able to fix
these vulnerabilities. As DAViCal is an open source project we decided
to contribute patches for these vulnerabilities ourselves. DAViCal has
accepted our patches in the 1.1.9.1 release. If you use DAViCal as a
calendaring server, we recommend upgrading to version 1.1.9.1 immediately
to remediate the issues we’ve discovered.

All three vulnerabilities exist in the web-based management pages that
come with DAViCal. We have written three separate advisories to describe
the vulnerabilities:

    CVE-2019-18345 – (this advisory) Reflected Cross-Site Scripting
    CVE-2019-18346 – Cross-Site Request Forgery
    CVE-2019-18347 – Persistent Cross-Site Scripting

CVE Reference: CVE-2019-18345
CVSS score: 9.3
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N

About DAViCal
=============

DAViCal is a server for calendar sharing. It is an implementation of the
CalDAV protocol which is designed for storing calendaring resources on a
remote shared server. It can be used by various e‑mail and calendaring
clients to centrally store and share calendars.

It includes a web-based management application. It was in these pages
that we discovered this vulnerability.

Affected systems
================

DAViCal CalDAV Server 1.1.8 and prior

Overview
========

A reflected cross-site scripting (XSS) vulnerability was found in
multiple pages of the DAViCal CalDAV Server. This is possible because
the application echoes user supplied input without encoding.

POC URL:
http://davical.host/admin.php?action=edit&t="><script>alert()</script>&id=1

Impact
======

If a user visits an attacker-supplied link, the attacker can view all
data the attacked user can view, as well as perform all actions in the
name of the user. If the user is administrator, the attacker can for
example change the password of the user to take over the account and
gain full access to the application.

Solution
========

Update to version 1.1.9.1

Technical solution details
==========================

XSS vulnerabilities are a problem with dynamically generated websites
that use user input. If user input is not correctly sanitized you could
very well end up with a user pushing some javascript to your frontend.

XSS isn’t a vulnerability that’s hard to grasp or circumvent but it’s
awfully easy to make a mistake like that. One thing you’ll hear over and
over again is never to trust user input. Always sanitize it when it
comes in and it’s best to still not trust it then. Characters like <, >
and " should never be rawly echoed to the frontend. The use cases for
echoing user input back to the frontend are endless. From a simple
"Greetings, $username" to editing personal user information with the
form having all the fields already filled in. So when someone has a
quote in their name, you shouldn’t echo the raw quote but &­quot;.

These days web frameworks handle a lot of sanitation for us. Laravel for
example uses simple brackets to echo variables to the user all these
variables are escaped first: {{ $username }}. Twig does something
similar by using a pipe like syntax: {{ $username | escape}}.

These days when developing your application you need to make sure you
sanitize everything you output to the user. But since DAViCal is an
established project it’s not doable to sift through the code to look for
functions that output text to the frontend. Another problem was that
DAViCal dynamically adds GET parameters to echoed urls. This is why I
chose to sanitize both incoming variables and their names. In the
DAViCal always.php I added a function that loops through the $_GET and
$_POST array recursively (as arrays can contain arrays and so forth) and
run the names and variables through htmlspecialchars() except for the
password field which of course should be able to have special characters
in them.

The reason you don’t do it this way in new applications is because now
if for some reason someone has another way of interacting with your
application (by API calls for example) you’d have to sanitize your input
on both sides. Moreover, APIs that pass JSON objects around for example,
don’t need to have script tags encoded as it means nothing to them and
JSON objects are encoded in a different way. In this case however,
DAViCal doesn’t have other entry points which you can use to insert data
in the database. So sanitizing all input once will suffice!

Responsible Disclosure timeline
===============================

04-Jan-2019 Reported to the DAViCal CalDAV Server project (no response)
21-Jan-2019 Reported to the DAViCal CalDAV Server project again
22-Jan-2019 Report acknowledged
28-May-2019 Asked for an update regarding these vulnerabilities
29-May-2019 The DAViCal project responded that they did not have
resources to implement a fix for these vulnerabilities
31-May-2019 Partnered up with Niels van Gijzen to contribute a patch
24-Oct-2019 CVE-2019-18345, CVE-2019-18346 and CVE-2019-18347 were
assigned to these vulnerabilities
25-Oct-2019 Released a patch that fixes these vulnerabilities
29-Nov-2019 DAViCal verified the patch
03-Dec-2019 DAViCal released version 1.1.9.1 including our patch

Useful links
============

DAViCal 1.1.9.1 Release Notes
https://wiki.davical.org/index.php/Release_Notes/1.1.9.1

DAViCal 1.1.9.1 on Gitlab
https://gitlab.com/davical-project/davical

This advisory
https://hackdefense.com/publications/cve-2019-18345-davical-caldav-server-vulnerability/