PHP iCalendar preferences.php Multiple Variable XSS

2006-12-27T08:33:57
ID OSVDB:32500
Type osvdb
Reporter Lostmon Lords(Lostmon@gmail.com)
Modified 2006-12-27T08:33:57

Description

Vulnerability Description

PHP iCalendar contains a flaw that allows a remote cross site scripting attack. This flaw exists because the application does not validate the 'getdate', 'cpath', 'unset' and 'set' variables upon submission to the preferences.php script. This could allow a user to create a specially crafted URL that would execute arbitrary code in a user's browser within the trust relationship between the browser and the server, leading to a loss of integrity.

Solution Description

Currently, there are no known upgrades, patches, or workarounds available to correct this issue.

Short Description

PHP iCalendar contains a flaw that allows a remote cross site scripting attack. This flaw exists because the application does not validate the 'getdate', 'cpath', 'unset' and 'set' variables upon submission to the preferences.php script. This could allow a user to create a specially crafted URL that would execute arbitrary code in a user's browser within the trust relationship between the browser and the server, leading to a loss of integrity.

Manual Testing Notes

http://[target]/phpicalendar/preferences.php?cal=Home,US+Holidays,Work&getdate=20061227%22%3E%3Cscript%3Ealert()%3C/script%3E

References:

Vendor URL: http://phpicalendar.net/ Security Tracker: 1017449 Secunia Advisory ID:23499 Related OSVDB ID: 32493 Related OSVDB ID: 32499 Related OSVDB ID: 32495 Related OSVDB ID: 32498 Related OSVDB ID: 32494 Related OSVDB ID: 32496 Related OSVDB ID: 32497 Other Advisory URL: http://lostmon.blogspot.com/2006/12/php-icalendar-multiple-variable-cross.html ISS X-Force ID: 31146 CVE-2006-6824 Bugtraq ID: 21792