-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
Security Risk: Moderate Exploitable: Remotely Vulnerability: Information disclosure Version: Multiple Versions
PHP-Calendar (http://www.php-calendar.com) was "written for a college social group at Northeastern University to keep track of events, etc. We were previously using localendar, which I (Sean Proctor) didn't like and had some problems with. I found CST-Calendar which did most of what I wanted, but was rather ugly and missed some features that we needed. So, I gradually re-wrote CST-Calendar since that project seemed to have stopped work entirely."
This vulnerability centers around the fact that PHP-Calendar comes with update scripts to update previous versions of the software. These scripts will print to the screen the database host, username, password, database name, table prefix, and database type. This file is named in two separate conventions depending on the installed version of PHP-Calendar. In versions prior to 1.1 this file is named "update.php" in version 1.1 two files exist named "update08.php" and "update10.php". Calling these files via a web browser (e.x. http://targetsite.com/phpcalendar/update.php) will print a succinct message including the above described information.
Determinging version of PHP-Calendar is often trivial as a NEWS file is included in every distribution that will reveal version information. Browsing to http://targetsite.tld/phpcalendar/NEWS will display the versioning information if that file is present. Note that several versions of PHP-Calendar are affected by other vulnerabilities (SQL injection - http://www.securityfocus.com/bid/13405/, remote file inclusion - http://www.securityfocus.com/bid/12127/).
Removal of the update scripts and all other unnecessary files (AUTHORS, COPYING, FAQ, INSTALL, NEWS, README, UPDATE) should remedy this vulnerability. Unfortunately instructions about the removal of these files is not included in the installation guide or the automated install scripts.
Justin C. Klein Keane http://www.MadIrish.net -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.7 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iQD1AwUBSYxeVZEpbGy7DdYAAQLjfgb/dUsoJhEHQt4vO5f0TdRHwvBCgn4a9lQv OKM/Eg3jLbAVHHLitBJnN8TabGr2DUc+aJYSk62BCY2r8HrLZGsNd9fLkKWNZYKR BH7CV0LBtRyicP25NVeBPQ133Z7UYpH+cbbAmp+W00OdomPANsQcGtNzwFPuDbXo lQyGKzgLsKQD1iS+FYifkW5QC0Z5O0RkphInxTR5JGODcSVah3y3l6aWxIl0q2eq cMWR+qDY2A9fP0VzwlANhLMcgO/XI4ZmAxDKC17g/BkHTEqL/SFwuRcvoocsvcQ3 jcloc+gm+68= =kWDx -----END PGP SIGNATURE-----
Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/