WebCalendar <= 1.2.4 Two Security Vulnerabilities

2012-04-24T00:00:00
ID SECURITYVULNS:DOC:27995
Type securityvulns
Reporter Securityvulns
Modified 2012-04-24T00:00:00

Description


WebCalendar <= 1.2.4 Two Security Vulnerabilities


author..........: Egidio Romano aka EgiX mail............: n0b0d13s[at]gmail[dot]com software link...: https://sourceforge.net/projects/webcalendar/

[-] vulnerable code in /install/index.php (CVE-2012-1495)

  1. $y = getPostValue ( 'app_settings' );
  2. if ( ! empty ( $y ) ) {
  3. $settings['single_user_login'] = getPostValue ( 'form_single_user_login' );
  4. $settings['readonly'] = getPostValue ( 'form_readonly' ); ...
  5. // Save settings to file now.
  6. if ( ! empty ( $x ) || ! empty ( $y ) ){
  7. $fd = @fopen ( $file, 'w+b', false );
  8. if ( empty ( $fd ) ) {
  9. if ( @file_exists ( $file ) ) {
  10. $onloadDetailStr =
  11. translate ( 'Please change the file permissions of this file', true );
  12. } else {
  13. $onloadDetailStr =
  14. translate ( 'Please change includes dir permission', true );
  15. }
  16. $onload = "alert('" . $errorFileWriteStr . $file. "\\n" .
  17. $onloadDetailStr . ".');";
  18. } else {
  19. if ( function_exists ( "date_default_timezone_set" ) )
  20. date_default_timezone_set ( "America/New_York");
  21. fwrite ( $fd, "<?php\r\n" );
  22. fwrite ( $fd, '/* updated via install/index.php on ' . date ( 'r' ) . "\r\n" );
  23. foreach ( $settings as $k => $v ) {
  24. if ( $v != '<br />' && $v != '' )
  25. fwrite ( $fd, $k . ': ' . $v . "\r\n" );
  26. }

Restricted access to this script isn't properly realized, so an attacker might be able to update /includes/settings.php with arbitrary values or inject PHP code into it.

[-] vulnerable code to LFI in /pref.php (CVE-2012-1496)

  1. if ( ! empty ( $_POST ) && empty ( $error )) {
  2. $my_theme = '';
  3. $currenttab = getPostValue ( 'currenttab' );
  4. save_pref ( $_POST, 'post' );
  5. if ( ! empty ( $my_theme ) ) {
  6. $theme = 'themes/'. $my_theme . '_pref.php';
  7. include_once $theme;
  8. save_pref ( $webcal_theme, 'theme' );
  9. }

Input passed through $_POST['pref_THEME'] isn't properly sanitized before being assigned to $my_theme variable, this can be exploited to include arbitrary local files at line 77. Exploitation of this vulnerability requires authentication and magic_quotes_gpc = off.

[-] Disclosure timeline:

[02/10/2011] - Vulnerabilities discovered [04/10/2011] - Vendor notified to http://sourceforge.net/support/tracker.php?aid=3418570 [20/02/2012] - First vendor response [28/02/2012] - Vendor fix committed to CVS [29/02/2012] - Version 1.2.5 released [02/03/2012] - CVE numbers requested [02/03/2012] - Assigned CVE-2012-1495 and CVE-2012-1496 [23/04/2012] - Public disclosure