WebCalendar Multiple Vulnerabilities

 Name              Multiple Vulnerabilities in WebCalendar
 Systems Affected  WebCalendar (verified on 1.0.1)
 Severity          Medium Risk
 Vendor            www.k5n.us/webcalendar.php?topic=About
 Advisory          http://www_ush_it/2005/11/28/webcalendar-multiple-vulnerabilities/
 Advisory          http://www_ush_it/team/ascii/hack-WebCalendar/advisory.txt
 Author            Francesco "aScii" Ongaro (ascii at katamail . com)
 Date              20051128 

I. BACKGROUND

WebCalendar is a PHP calendar program, more information is
available at the vendor site.

II. DESCRIPTION

WebCalendar is vulnerable to four SQL Injection (files activity_log.php,
admin_handler.php, edit_template.php and export_handler.php) and one
local file overwrite (export_handler.php), input validation will fix.

III. ANALYSIS

Since webcalendar is a quite big software with a lot of code and files
legit project programmers can surely do a better vulnerability
assessment than mine. I dedicated about 5 hours in this code-review
process and focused on specific bugs and areas so no warranty is given,
the assumptions are:

- globals off
- $login, $id and other init.php vars assumed as secure

I checked for SQL Injection and other MACRO-BUGS in the following
files (subdirectories not checked, XSS not checked):

year.php add_entry.php admin.php admin_handler.php adminhome.php
approve_entry.php assistant_edit.php assistant_edit_handler.php
availability.php category.php category_handler.php colors.php
datesel.php day.php del_entry.php del_layer.php edit_entry.php
edit_entry_handler.php edit_layer.php edit_layer_handler.php
edit_nonusers.php edit_nonusers_handler.php edit_report.php
edit_report_handler.php edit_template.php edit_user.php
edit_user_handler.php export.php export_handler.php gradient.php
group_edit.php group_edit_handler.php groups.php help_admin.php
help_bug.php help_edit_entry.php help_import.php help_index.php
help_layers.php help_pref.php import.php import_handler.php
import_ical.php import_palmdesktop.php import_vcal.php index.php
layers.php layers_toggle.php list_unapproved.php login.php month.php
nonusers.php nonusers_handler.php pref.php pref_handler.php publish.php
purge.php reject_entry.php report.php search.php search_handler.php
select_user.php set_entry_cat.php upcoming.php users.php usersel.php
view_d.php view_entry.php view_l.php view_m.php view_t.php view_v.php
view_w.php views.php views_edit.php views_edit_handler.php week.php
week_details.php week_ssi.php activity_log.php 

Note: this is not the send_reminders.php?include_dir= bug, all the
findings are for WebCalendar-1.0.1 (the last version at the writing
time).

*** activity_log.php $startid SQL Injection ***

in adminhome.php

if ($is_admin) {
 $names[] = translate("Delete Events");
 $links[] = "purge.php";

 $names[] = translate("Activity Log");
 $links[] = "activity_log.php";
}

activity_log.php variable $startid

*** admin_handler.php POST SQL Injection ***

if ( $error == "" ) {
 while ( list ( $key, $value ) = each ( $HTTP_POST_VARS ) ) {
  $setting = substr ( $key, 6 );
  if ( strlen ( $setting ) > 0 ) {
   $sql = "DELETE FROM webcal_config WHERE cal_setting = '$setting'";
   if ( ! dbi_query ( $sql ) ) [..CUT..]
   if ( strlen ( $value ) > 0 ) {
    $sql = "INSERT INTO webcal_config ( cal_setting, cal_value ) VALUES
    ( '$setting', '$value' )";
    if ( ! dbi_query ( $sql ) ) [..CUT..]
   }
  }
 }
}

Note that the first 6 chars of the key are ignored. Injection is
possible both from $key ($setting variable) and $value.

*** edit_template.php $template SQL Injection *** 

if ( empty ( $REQUEST_METHOD ) )
 $REQUEST_METHOD = $_SERVER['REQUEST_METHOD'];

// Handle form submission
if ( $REQUEST_METHOD == 'POST' ) {
 //$template = getPostValue ( "template" );
 $template = $_POST['template'];
 //echo "Template: " .  $template  . "\n"; exit;
 if ( $found ) {
  $sql = "UPDATE webcal_report_template " .
  "SET cal_template_text = '$template' " .
  "WHERE cal_template_type = '$type' AND cal_report_id = 0";
 } else {
  $sql = "INSERT INTO webcal_report_template " .
  "( cal_template_type, cal_report_id, cal_template_text ) " .
  "VALUES ( '$type', 0, '$template' )";
 }
[..CUT..]
}

As you can see this is really strange, if i were the cvs admin
i would like to investigate for this (the solution is commented out).

*** export_handler.php multiple vars SQL Injection ***

$id = getPostValue  ( 'id' );
$format = getPostValue  ( 'format' );
$use_all_dates = getPostValue  ( 'use_all_dates' );
$include_layers = getPostValue  ( 'include_layers' );
$fromyear = getPostValue  ( 'fromyear' );
$frommonth = getPostValue  ( 'frommonth' );
$fromday = getPostValue  ( 'fromday' );
$endyear = getPostValue  ( 'endyear' );
$endmonth = getPostValue  ( 'endmonth' );
$endday = getPostValue  ( 'endday' );
$modyear = getPostValue  ( 'modyear' );
$modmonth = getPostValue  ( 'modmonth' );
$modday = getPostValue  ( 'modday' );

According to getPostValue() all these variables are unchecked
allowing multiple sql injection. (ex: $id is safe in the 99%
of the project files cause if init.php proper validation but
in this file the variable is overridden and unchecked)

$id and $format have a local scope, all the others are globals.

*** export_handler.php data file overwrite ***

if ($format == "ical") {
 transmit_header ( 'text/ical', "webcalendar-$id.ics" );
 export_ical($id);

} elseif ($format == "vcal") {
 transmit_header ( 'text/vcal', "webcalendar-$id.vcs" );
 export_vcal($id);
} elseif ($format == "pilot-csv") {
 transmit_header ( 'text/csv', "webcalendar-$id.csv" );
 export_pilot_csv ( $id );
} elseif ($format == "pilot-text") {
 transmit_header('text/plain', "webcalendar-$id.txt" );
 export_install_datebook($id);
[..CUT..]  

You can override other saved datafile using the right
$_POST['id'] and $_POST['format']. This is the little
brother of the above bug.

IV. DETECTION

WebCalendar 1.0.1 is vulnerable.
Older version not verified.

V. WORKAROUND

Input validation will fix the vulnerability.

VI. VENDOR RESPONSE

We had a response from Craig Knudsen, the project leader,
on 20051128 night. The same day the fast Craig resolved 3
of the 4 issues in the REL_1_0_0 branch of CVS, so soon a
new version (probably 1.0.2) will be released to the public.

VII. CVE INFORMATION

No CVE at this time.

VIII. DISCLOSURE TIMELINE

20051128 Bug discovered
20051128 Advisory released
20051128 Vendor response
20051128 Vendor CVS fix

IX. CREDIT

ascii is credited with the discovery of this vulnerability.

X. LEGAL NOTICES

Copyright (c) 2005 Francesco "aScii" Ongaro

Permission is granted for the redistribution of this alert
electronically. It may not be edited in any way without mine express
written consent. If you wish to reprint the whole or any
part of this alert in any other medium other than electronically, please
email me for permission.

Disclaimer: The information in the advisory is believed to be accurate
at the time of publishing based on currently available information. Use
of the information constitutes acceptance for use in an AS IS condition.
There are no warranties with regard to this information. Neither the
author nor the publisher accepts any liability for any direct, indirect,
or consequential loss or damage arising from use of, or reliance on,
this information.