WebCalendar Multiple Vulnerabilities Name Multiple Vulnerabilities in WebCalendar Systems Affected WebCalendar (verified on 1.0.1) Severity Medium Risk Vendor www.k5n.us/webcalendar.php?topic=About Advisory http://www_ush_it/2005/11/28/webcalendar-multiple-vulnerabilities/ Advisory http://www_ush_it/team/ascii/hack-WebCalendar/advisory.txt Author Francesco "aScii" Ongaro (ascii at katamail . com) Date 20051128 I. BACKGROUND WebCalendar is a PHP calendar program, more information is available at the vendor site. II. DESCRIPTION WebCalendar is vulnerable to four SQL Injection (files activity_log.php, admin_handler.php, edit_template.php and export_handler.php) and one local file overwrite (export_handler.php), input validation will fix. III. ANALYSIS Since webcalendar is a quite big software with a lot of code and files legit project programmers can surely do a better vulnerability assessment than mine. I dedicated about 5 hours in this code-review process and focused on specific bugs and areas so no warranty is given, the assumptions are: - globals off - $login, $id and other init.php vars assumed as secure I checked for SQL Injection and other MACRO-BUGS in the following files (subdirectories not checked, XSS not checked): year.php add_entry.php admin.php admin_handler.php adminhome.php approve_entry.php assistant_edit.php assistant_edit_handler.php availability.php category.php category_handler.php colors.php datesel.php day.php del_entry.php del_layer.php edit_entry.php edit_entry_handler.php edit_layer.php edit_layer_handler.php edit_nonusers.php edit_nonusers_handler.php edit_report.php edit_report_handler.php edit_template.php edit_user.php edit_user_handler.php export.php export_handler.php gradient.php group_edit.php group_edit_handler.php groups.php help_admin.php help_bug.php help_edit_entry.php help_import.php help_index.php help_layers.php help_pref.php import.php import_handler.php import_ical.php import_palmdesktop.php import_vcal.php index.php layers.php layers_toggle.php list_unapproved.php login.php month.php nonusers.php nonusers_handler.php pref.php pref_handler.php publish.php purge.php reject_entry.php report.php search.php search_handler.php select_user.php set_entry_cat.php upcoming.php users.php usersel.php view_d.php view_entry.php view_l.php view_m.php view_t.php view_v.php view_w.php views.php views_edit.php views_edit_handler.php week.php week_details.php week_ssi.php activity_log.php Note: this is not the send_reminders.php?include_dir= bug, all the findings are for WebCalendar-1.0.1 (the last version at the writing time). *** activity_log.php $startid SQL Injection *** in adminhome.php if ($is_admin) { $names[] = translate("Delete Events"); $links[] = "purge.php"; $names[] = translate("Activity Log"); $links[] = "activity_log.php"; } activity_log.php variable $startid *** admin_handler.php POST SQL Injection *** if ( $error == "" ) { while ( list ( $key, $value ) = each ( $HTTP_POST_VARS ) ) { $setting = substr ( $key, 6 ); if ( strlen ( $setting ) > 0 ) { $sql = "DELETE FROM webcal_config WHERE cal_setting = '$setting'"; if ( ! dbi_query ( $sql ) ) [..CUT..] if ( strlen ( $value ) > 0 ) { $sql = "INSERT INTO webcal_config ( cal_setting, cal_value ) VALUES ( '$setting', '$value' )"; if ( ! dbi_query ( $sql ) ) [..CUT..] } } } } Note that the first 6 chars of the key are ignored. Injection is possible both from $key ($setting variable) and $value. *** edit_template.php $template SQL Injection *** if ( empty ( $REQUEST_METHOD ) ) $REQUEST_METHOD = $_SERVER['REQUEST_METHOD']; // Handle form submission if ( $REQUEST_METHOD == 'POST' ) { //$template = getPostValue ( "template" ); $template = $_POST['template']; //echo "Template: " . $template . "\n"; exit; if ( $found ) { $sql = "UPDATE webcal_report_template " . "SET cal_template_text = '$template' " . "WHERE cal_template_type = '$type' AND cal_report_id = 0"; } else { $sql = "INSERT INTO webcal_report_template " . "( cal_template_type, cal_report_id, cal_template_text ) " . "VALUES ( '$type', 0, '$template' )"; } [..CUT..] } As you can see this is really strange, if i were the cvs admin i would like to investigate for this (the solution is commented out). *** export_handler.php multiple vars SQL Injection *** $id = getPostValue ( 'id' ); $format = getPostValue ( 'format' ); $use_all_dates = getPostValue ( 'use_all_dates' ); $include_layers = getPostValue ( 'include_layers' ); $fromyear = getPostValue ( 'fromyear' ); $frommonth = getPostValue ( 'frommonth' ); $fromday = getPostValue ( 'fromday' ); $endyear = getPostValue ( 'endyear' ); $endmonth = getPostValue ( 'endmonth' ); $endday = getPostValue ( 'endday' ); $modyear = getPostValue ( 'modyear' ); $modmonth = getPostValue ( 'modmonth' ); $modday = getPostValue ( 'modday' ); According to getPostValue() all these variables are unchecked allowing multiple sql injection. (ex: $id is safe in the 99% of the project files cause if init.php proper validation but in this file the variable is overridden and unchecked) $id and $format have a local scope, all the others are globals. *** export_handler.php data file overwrite *** if ($format == "ical") { transmit_header ( 'text/ical', "webcalendar-$id.ics" ); export_ical($id); } elseif ($format == "vcal") { transmit_header ( 'text/vcal', "webcalendar-$id.vcs" ); export_vcal($id); } elseif ($format == "pilot-csv") { transmit_header ( 'text/csv', "webcalendar-$id.csv" ); export_pilot_csv ( $id ); } elseif ($format == "pilot-text") { transmit_header('text/plain', "webcalendar-$id.txt" ); export_install_datebook($id); [..CUT..] You can override other saved datafile using the right $_POST['id'] and $_POST['format']. This is the little brother of the above bug. IV. DETECTION WebCalendar 1.0.1 is vulnerable. Older version not verified. V. WORKAROUND Input validation will fix the vulnerability. VI. VENDOR RESPONSE We had a response from Craig Knudsen, the project leader, on 20051128 night. The same day the fast Craig resolved 3 of the 4 issues in the REL_1_0_0 branch of CVS, so soon a new version (probably 1.0.2) will be released to the public. VII. CVE INFORMATION No CVE at this time. VIII. DISCLOSURE TIMELINE 20051128 Bug discovered 20051128 Advisory released 20051128 Vendor response 20051128 Vendor CVS fix IX. CREDIT ascii is credited with the discovery of this vulnerability. X. LEGAL NOTICES Copyright (c) 2005 Francesco "aScii" Ongaro Permission is granted for the redistribution of this alert electronically. It may not be edited in any way without mine express written consent. If you wish to reprint the whole or any part of this alert in any other medium other than electronically, please email me for permission. Disclaimer: The information in the advisory is believed to be accurate at the time of publishing based on currently available information. Use of the information constitutes acceptance for use in an AS IS condition. There are no warranties with regard to this information. Neither the author nor the publisher accepts any liability for any direct, indirect, or consequential loss or damage arising from use of, or reliance on, this information.