WebCalendar does not adequately validate user input

Overview

WebCalendar does not properly validate user input, allowing attackers to execute arbitrary commands.

Description

WebCalendar is a free PHP application providing web calendar services for user groups. WebCalendar contains an unspecified input validation vulnerability, allowing arbitrary command execution by a malicious WebCalendar user. If WebCalendar is configured in “single-user mode” (a non-default configuration), attackers do not need a WebCalendar account to exploit this vulnerability.

---

Impact

Malicious users can execute arbitrary commands on the server.

---

Solution

The CERT/CC is currently unaware of a practical solution to this problem.

---

An unofficial patch is available from Secure Reality:

<http://www.securereality.com.au/patches/WebCalendar-SecureReality.diff&gt;

---

Vendor Information

951632

Filter by status: All Affected Not Affected Unknown

Filter by content: __ Additional information available

__ Sort by: Status Alphabetical

Expand all

Javascript is disabled. Click here to view vendors.

Craig Knudsen Affected

Updated: September 23, 2002

Status

Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23951632 Feedback>).

CVSS Metrics

Group	Score	Vector
Base
Temporal
Environmental

References

<http://www.securityfocus.com/bid/2639&gt;

Acknowledgements

Thanks to Asher Glynn for reporting this vulnerability.

This document was written by Shawn Van Ittersum.

Other Information

CVE IDs:	CVE-2001-0477
Severity Metric:	4.28 Date Public: