calendar.pl.vuln

`Evening,  
  
I wouldnt normally post a small thing like this to bugtraq but i checked out  
cgi-resources.com and it seems to be damn popular so someone here may care.  
  
Oh yeah I notified Matt (the vendor) and he figured it wasnt really an issue.  
  
Oh well.  
  
Visit www.suid.kg/advisories/ for more crap like this.  
  
[email protected]  
  
--cut--  
  
[email protected] - Matt Kruse Calendar Script Vulnerability  
  
Software: Matt Kruse Calendar Script  
URL: http://www.mattkruse.com/scripts/calendar/  
Version: Version 2.2 and below?  
Platforms: UNIX / Windows NT  
Type: Input Validation Failure  
Lame Factor: Damn High  
  
Summary:  
  
Remote users can execute arbitrary commands on the web  
server with the priviledge level of the httpd process.  
  
Vulnerability:  
  
Both the calender.pl and the calendar_admin.pl scripts fail to  
perform proper input validation. The calender_admin.pl script  
for example prompts the user for a configuration file to modify.  
Then in an attempt to authenticate the user to verify they have  
access to modify the specified configuration file, it passes  
the user input straight to perl open(). *yoink*(tm)  
  
Exploit:  
  
calender_admin.pl - easiest  
  
Assuming http://www.ownable.domain/ has calender.pl at:  
  
http://www.ownable.domain/cgi-bin/calender.pl  
  
The admin script by default is at:  
  
http://www.ownable.domain/cgi-bin/calender_admin.pl  
  
Going to that URL will result in a username/password/configuration file  
input fields. Ignoring username and password, enter:  
  
|<command here>|  
  
(With the pipes) in the configuration file field.  
  
e.g.  
  
|ping 127.0.0.1|  
  
Note:  
  
I notice that calender.pl does not sanitise input either and is  
vulnerable to an open attack but am not interested enough to write  
about it.  
  
Blah.  
  
Greets:  
  
duke - WHAT THE HELL!?>!  
horizons  
yowie !  
`