phpWebSite Calendar Module Path Disclosure

2003-08-10T07:51:47
ID OSVDB:3843
Type osvdb
Reporter OSVDB
Modified 2003-08-10T07:51:47

Description

Vulnerability Description

phpWebSite contains a flaw that may lead to an unauthorized information disclosure. The issue is triggered when improper input is passed to the "year" variable, which will disclose the web server physical path resulting in a loss of confidentiality.

Solution Description

Upgrade to version 0.8.3 or higher, as it has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.

Short Description

phpWebSite contains a flaw that may lead to an unauthorized information disclosure. The issue is triggered when improper input is passed to the "year" variable, which will disclose the web server physical path resulting in a loss of confidentiality.

Manual Testing Notes

http://[victim]/index.php?module=calendar&calendar[view] =month&month=11&year=9

References:

Vendor URL: http://phpwebsite.appstate.edu/ Secunia Advisory ID:9517 Related OSVDB ID: 3842 Related OSVDB ID: 3844 Related OSVDB ID: 2410 Other Advisory URL: http://archives.neohapsis.com/archives/fulldisclosure/2003-q3/1659.html ISS X-Force ID: 12895 Generic Informational URL: http://phpwebsite.appstate.edu/index.php?module=announce&ANN_user_op=view&ANN_id=577 CVE-2003-0737