exploit the possibilities

phpEventCalendar.txt

phpEventCalendar.txt
Posted Jan 27, 2005
Authored by Madelman

phpEventCalendar version 0.2 does not check title and event text when the data is inserted in the database, allowing for arbitrary HTML injection.

tags | exploit, arbitrary
MD5 | e9a569c32f80bca6c0ffb8d8af9ac8ff

phpEventCalendar.txt

Change Mirror Download
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Title: phpEventCalendar HTML injection
Vulnerability discovery: Madelman <madelman AT iname.com>
Date: 25/01/2005
Severity: Medium. Registered users can obtain other users cookies

Summary:
- --------

phpEventCalendar is a MySQL backed application that allows users to post and
display events or notes on a month-at-a-glance calendar. A user administration
panel allows authorized users (Administrators) to control who can add, delete,
and edit events (Editors).
(from vendor site: http://www.ikemcg.com/scripts/pec/index.html)

phpEventCalendar doesn't check title and text of events inserted in the database,
so we can inject arbitrary HTML which will be executed by other users.

This vulnerability has been tested with phpEventCalendar 0.2


Details:
- --------

When inserting a new event into the system, phpEventCalendar doesn't check the
values of title and text variables, it only escapes it when necessary to avoid
SQL injection. These variables will be later retrieved by other user viewing the
calendar and showed with strip_slashes so we can write arbitrary HTML (or Javascript)
which will be executed by other users when they look at the calendar (if inserted in
title, but take care there's a limit in the length of the title shown in the calendar)
or when they look at the individual entry.

Example of exploitation:

Insert an event with text: <script>alert(document.cookie);</script>


Solution:
- ---------

Upgrade to phpEventCalendar 0.2.1


Timeline
- --------

07/01/2005 - Vulnerability found
07/01/2005 - Vendor contacted
08/01/2005 - Vendor replied confirming bug
18/01/2005 - New version released
25/01/2005 - Advisory released
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.3 (MingW32)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org

iD8DBQFB9pIg3RWooxY20cIRAtDzAKCCr/Uh64X4NaCXvFgjTUaHn0l7aQCZARDF
1l2Zx92XmzX+j825gG871AY=
=waZY
-----END PGP SIGNATURE-----

Comments

RSS Feed Subscribe to this comment feed

No comments yet, be the first!

Login or Register to post a comment

File Archive:

September 2019

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Sep 1st
    1 Files
  • 2
    Sep 2nd
    38 Files
  • 3
    Sep 3rd
    30 Files
  • 4
    Sep 4th
    15 Files
  • 5
    Sep 5th
    12 Files
  • 6
    Sep 6th
    17 Files
  • 7
    Sep 7th
    3 Files
  • 8
    Sep 8th
    1 Files
  • 9
    Sep 9th
    24 Files
  • 10
    Sep 10th
    22 Files
  • 11
    Sep 11th
    22 Files
  • 12
    Sep 12th
    15 Files
  • 13
    Sep 13th
    5 Files
  • 14
    Sep 14th
    2 Files
  • 15
    Sep 15th
    1 Files
  • 16
    Sep 16th
    11 Files
  • 17
    Sep 17th
    14 Files
  • 18
    Sep 18th
    0 Files
  • 19
    Sep 19th
    0 Files
  • 20
    Sep 20th
    0 Files
  • 21
    Sep 21st
    0 Files
  • 22
    Sep 22nd
    0 Files
  • 23
    Sep 23rd
    0 Files
  • 24
    Sep 24th
    0 Files
  • 25
    Sep 25th
    0 Files
  • 26
    Sep 26th
    0 Files
  • 27
    Sep 27th
    0 Files
  • 28
    Sep 28th
    0 Files
  • 29
    Sep 29th
    0 Files
  • 30
    Sep 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2019 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close