Matt Kruse Calendar Script 2.2 - Arbitrary Command Execution

ID EDB-ID:19921
Type exploitdb
Reporter suid
Modified 2000-05-16T00:00:00


Matt Kruse Calendar Script 2.2 Arbitrary Command Execution. CVE-2000-0432. Remote exploit for cgi platform


Matt Kruse's Calendar script is a popular, free perl cgi-script used by many websites on the Internet. It allows a website administrator to easily setup and customize a calendar on their website. There are two components of this package, and calls open() with user-input in the command string but does not parse the input for metacharacters. It is therefor possible to execute arbitrary commands on the target host by passing "|shell command|" as one value of the "configuration file" field. The shell that is spawned with the open() call will then execute those commands with the uid of the webserver. This can result in remote access to the system for the attacker. is vulnerable to a similar attack. - easiest.

Assuming http://www.ownable.domain/ has at:

The admin script by default is at:

Going to that URL will result in a username/password/configuration file input fields. Ignoring username and password, enter:

|<command here>|

(With the pipes) in the configuration file field.