Search...

perl-cal-29920.txt

2005-12-14T00:00:00

ID PACKETSTORM:42250
Type packetstorm
Reporter Sumit Siddharth
Modified 2005-12-14T00:00:00

Description

                                        
                                            `------=_Part_17141_22617522.1134045408185  
Content-Type: text/plain; charset=ISO-8859-1  
Content-Transfer-Encoding: quoted-printable  
Content-Disposition: inline  
  
Vendor: Perl-Cal  
  
Version tested: Perl-Cal 2.99.20 , other versions may also be affected.  
  
Type: Cross Site Scripting  
  
Severity: Medium  
  
Vulnerability discovered:- 23rd Nov 2005  
  
Date released:-8 dec 2005  
  
Vulnerability Type: Input Validation Error  
  
Overview:- PerlCal is a CGI script written by Acme Software that allows  
web-based calendar sharing and related functions.There exists a cross-site  
scripting vulnerability as the input in one of the parameters(p0) is not  
filtered correctly.  
  
Description:- The cross-site scripting bug can be executed with a URL like  
so:  
  
http://localhost/cgi-bin/perlcal/cal_make.pl  
?p0=3D%3Cscript%3Ealert('hi');%3C/script%3E  
  
This issue could permit a remote attacker to create a malicious URL link  
that includes hostile HTML and script code. If this link were to be  
followed, the hostile code may be rendered in the web browser of the victim  
user. This would occur in the security context of the affected Web site.  
  
Demonstration:- http://localhost/cgi-bin/perlcal/cal_make.pl  
?p0=3D%3Cscript%3Ewindow.open('http://www.google.com');%3Cscript%3E&lt;http://=  
www.google.com%27%29;%3Cscript%3E&gt;  
  
Other attacks:-  
http://localhost/cgi-bin/perlcal/cal_make.pl  
?p0=3D%3Cscript%3Ealert(document.cookie);&lt;/script&gt;  
  
Solution:  
--------------------  
Vendor has released a patch.  
  
Credits:- $um$id  
  
Sumit  
  
------=_Part_17141_22617522.1134045408185  
Content-Type: text/html; charset=ISO-8859-1  
Content-Transfer-Encoding: quoted-printable  
Content-Disposition: inline  
  
&lt;br&gt;  
Vendor: Perl-Cal&lt;br&gt;  
&lt;br&gt;  
Version tested: Perl-Cal 2.99.20 , other versions may also be affected.&lt;br&gt;  
&lt;br&gt;  
Type: Cross Site Scripting&lt;br&gt;  
&lt;br&gt;  
Severity: Medium&lt;br&gt;  
&lt;br&gt;  
Vulnerability discovered:- 23rd Nov 2005&lt;br&gt;  
&lt;br&gt;  
Date released:-8 dec 2005&lt;br&gt;  
&lt;br&gt;  
Vulnerability Type: Input Validation Error&lt;br&gt;  
&lt;br&gt;  
Overview:-  
PerlCal is a CGI script written by Acme Software that allows web-based  
calendar sharing and related functions.There exists a cross-site  
scripting vulnerability as the input in one of the parameters(p0) is not  
filtered correctly.&lt;br&gt;  
&lt;br&gt;  
Description:- The cross-site scripting bug can be executed with a URL like =  
so:&lt;br&gt;  
&lt;br&gt;  
&lt;a href=3D"http://localhost/cgi-bin/perlcal/cal_make.pl" target=3D"_blank" =  
onclick=3D"return top.js.OpenExtLink(window,event,this)"&gt;http://localhost/c=  
gi-bin/perlcal/cal_make.pl&lt;/a&gt;&lt;br&gt;  
?p0=3D%3Cscript%3Ealert('hi');%3C/script%3E&lt;br&gt;  
&lt;br&gt;  
This  
issue could permit a remote attacker to create a malicious URL link  
that includes hostile HTML and script code. If this link were to be  
followed, the hostile code may be rendered in the web browser of the  
victim user. This would occur in the security context of the affected  
Web site.&lt;br&gt;  
&lt;br&gt;  
Demonstration:- &lt;a href=3D"http://localhost/cgi-bin/perlcal/cal_make.pl" ta=  
rget=3D"_blank" onclick=3D"return top.js.OpenExtLink(window,event,this)"&gt;ht=  
tp://localhost/cgi-bin/perlcal/cal_make.pl&lt;/a&gt;&lt;br&gt;  
?p0=3D%3Cscript%3Ewindow.open('&lt;a href=3D"http://www.google.com%27%29;%3Csc=  
ript%3E" target=3D"_blank" onclick=3D"return top.js.OpenExtLink(window,even=  
t,this)"&gt;http://www.google.com');%3Cscript%3E&lt;/a&gt;&lt;br&gt;  
&lt;br&gt;Other attacks:-&lt;br&gt;  
&lt;a href=3D"http://localhost/cgi-bin/perlcal/cal_make.pl" target=3D"_blank" =  
onclick=3D"return top.js.OpenExtLink(window,event,this)"&gt;http://localhost/c=  
gi-bin/perlcal/cal_make.pl&lt;/a&gt;&lt;br&gt;  
  
?p0=3D%3Cscript%3Ealert(document.cookie);&lt;/script&gt;&lt;br&gt;  
&lt;br&gt;  
Solution:&lt;br&gt;  
--------------------&lt;br&gt;  
Vendor has released a patch.&lt;br&gt;  
&lt;br&gt;  
Credits:- $um$id&lt;br&gt;  
&lt;br&gt;  
Sumit&lt;br&gt;  
  
  
  
  
  
------=_Part_17141_22617522.1134045408185--  
`

JSON Vulners Source

Initial Source

{"type": "packetstorm", "published": "2005-12-14T00:00:00", "reporter": "Sumit Siddharth", "hashmap": [{"key": "bulletinFamily", "hash": "708697c63f7eb369319c6523380bdf7a"}, {"key": "cvelist", "hash": "d41d8cd98f00b204e9800998ecf8427e"}, {"key": "cvss", "hash": "d4be9c4fc84262b4f39f89565918568f"}, {"key": "description", "hash": "d41d8cd98f00b204e9800998ecf8427e"}, {"key": "href", "hash": "4c2a66aaba84e2f2b4817ff6762a2f14"}, {"key": "modified", "hash": "34377f0582d4e299f07e592c8fe53f62"}, {"key": "objectVersion", "hash": "56765472680401499c79732468ba4340"}, {"key": "published", "hash": "34377f0582d4e299f07e592c8fe53f62"}, {"key": "references", "hash": "d41d8cd98f00b204e9800998ecf8427e"}, {"key": "reporter", "hash": "841bb257566f23fc69a3e05453b4a1ac"}, {"key": "sourceData", "hash": "29ef04b65b8c5d49dbed75e14a197beb"}, {"key": "sourceHref", "hash": "6177c6c05ad25d057bdeaf530d97a7df"}, {"key": "title", "hash": "c9d81720ddb8d9895bc8244ec6159f9e"}, {"key": "type", "hash": "6466ca3735f647eeaed965d9e71bd35d"}], "bulletinFamily": "exploit", "cvss": {"vector": "NONE", "score": 0.0}, "sourceData": "`------=_Part_17141_22617522.1134045408185 \nContent-Type: text/plain; charset=ISO-8859-1 \nContent-Transfer-Encoding: quoted-printable \nContent-Disposition: inline \n \nVendor: Perl-Cal \n \nVersion tested: Perl-Cal 2.99.20 , other versions may also be affected. \n \nType: Cross Site Scripting \n \nSeverity: Medium \n \nVulnerability discovered:- 23rd Nov 2005 \n \nDate released:-8 dec 2005 \n \nVulnerability Type: Input Validation Error \n \nOverview:- PerlCal is a CGI script written by Acme Software that allows \nweb-based calendar sharing and related functions.There exists a cross-site \nscripting vulnerability as the input in one of the parameters(p0) is not \nfiltered correctly. \n \nDescription:- The cross-site scripting bug can be executed with a URL like \nso: \n \nhttp://localhost/cgi-bin/perlcal/cal_make.pl \n?p0=3D%3Cscript%3Ealert('hi');%3C/script%3E \n \nThis issue could permit a remote attacker to create a malicious URL link \nthat includes hostile HTML and script code. If this link were to be \nfollowed, the hostile code may be rendered in the web browser of the victim \nuser. This would occur in the security context of the affected Web site. \n \nDemonstration:- http://localhost/cgi-bin/perlcal/cal_make.pl \n?p0=3D%3Cscript%3Ewindow.open('http://www.google.com');%3Cscript%3E<http://= \nwww.google.com%27%29;%3Cscript%3E> \n \nOther attacks:- \nhttp://localhost/cgi-bin/perlcal/cal_make.pl \n?p0=3D%3Cscript%3Ealert(document.cookie);</script> \n \nSolution: \n-------------------- \nVendor has released a patch. \n \nCredits:- $um$id \n \nSumit \n \n------=_Part_17141_22617522.1134045408185 \nContent-Type: text/html; charset=ISO-8859-1 \nContent-Transfer-Encoding: quoted-printable \nContent-Disposition: inline \n \n \nVendor: Perl-Cal \n \nVersion tested: Perl-Cal 2.99.20 , other versions may also be affected. \n \nType: Cross Site Scripting \n \nSeverity: Medium \n \nVulnerability discovered:- 23rd Nov 2005 \n \nDate released:-8 dec 2005 \n \nVulnerability Type: Input Validation Error \n \nOverview:- \nPerlCal is a CGI script written by Acme Software that allows web-based \ncalendar sharing and related functions.There exists a cross-site \nscripting vulnerability as the input in one of the parameters(p0) is not \nfiltered correctly. \n \nDescription:- The cross-site scripting bug can be executed with a URL like = \nso: \n \n<a href=3D\"http://localhost/cgi-bin/perlcal/cal_make.pl\" target=3D\"_blank\" = \nonclick=3D\"return top.js.OpenExtLink(window,event,this)\">http://localhost/c= \ngi-bin/perlcal/cal_make.pl</a> \n?p0=3D%3Cscript%3Ealert('hi');%3C/script%3E \n \nThis \nissue could permit a remote attacker to create a malicious URL link \nthat includes hostile HTML and script code. If this link were to be \nfollowed, the hostile code may be rendered in the web browser of the \nvictim user. This would occur in the security context of the affected \nWeb site. \n \nDemonstration:- <a href=3D\"http://localhost/cgi-bin/perlcal/cal_make.pl\" ta= \nrget=3D\"_blank\" onclick=3D\"return top.js.OpenExtLink(window,event,this)\">ht= \ntp://localhost/cgi-bin/perlcal/cal_make.pl</a> \n?p0=3D%3Cscript%3Ewindow.open('<a href=3D\"http://www.google.com%27%29;%3Csc= \nript%3E\" target=3D\"_blank\" onclick=3D\"return top.js.OpenExtLink(window,even= \nt,this)\">http://www.google.com');%3Cscript%3E</a> \n Other attacks:- \n<a href=3D\"http://localhost/cgi-bin/perlcal/cal_make.pl\" target=3D\"_blank\" = \nonclick=3D\"return top.js.OpenExtLink(window,event,this)\">http://localhost/c= \ngi-bin/perlcal/cal_make.pl</a> \n \n?p0=3D%3Cscript%3Ealert(document.cookie);</script> \n \nSolution: \n-------------------- \nVendor has released a patch. \n \nCredits:- $um$id \n \nSumit \n \n \n \n \n \n------=_Part_17141_22617522.1134045408185-- \n`\n", "viewCount": 0, "history": [], "lastseen": "2016-11-03T10:20:22", "objectVersion": "1.2", "href": "https://packetstormsecurity.com/files/42250/perl-cal-29920.txt.html", "sourceHref": "https://packetstormsecurity.com/files/download/42250/perl-cal-29920.txt", "title": "perl-cal-29920.txt", "enchantments": {"score": {"vector": "NONE", "value": 4.3}, "vulnersScore": 4.3}, "references": [], "id": "PACKETSTORM:42250", "hash": "0410a9d19cba2a518df76876fee5904bee9dbfac0eb924e997128836f4902ad5", "edition": 1, "cvelist": [], "modified": "2005-12-14T00:00:00", "description": ""}