Multiple vulnerabilities in Topic Calendar 1.0.1 for phpBB

Type securityvulns
Reporter Securityvulns
Modified 2005-03-24T00:00:00


  • CODEBUG Labs
  • Advisory #8
  • Title: Multiple vulnerabilities in Topic Calendar 1.0.1 for phpBB
  • Author: Alberto Trivero
  • English Version: Alberto Trivero
  • Product: Topic Calendar 1.0.1
  • Type: Multiple Vulnerabilities
  • Web:

--) Software Page (

Topic Calendar is a quite widespread MOD for phpBB all version that will add a calendar to the board, using topics as event. The authorizations are managed at forums, groups and users level, as the standard phpBB auths.

--) Full Path Disclosure

If phpBB is running on a Microsoft IIS Server, it's possible to obtain the full path by sending simples requests like these:

Note that these requests doesn't works under the others webservers like Apache.

--) Cross-Site Scripting (XSS)

Let's look at code from calendar_scheduler.php at line 82:

<? ... if ( isset($HTTP_POST_VARS['start']) || isset($HTTP_GET_VARS['start']) ) { $start = isset($HTTP_POST_VARS['start']) ? $HTTP_POST_VARS['start'] : $HTTP_GET_VARS['start']; } ... ?>

and at line 375:

<? ... $s_hidden_fields .= '<input type="hidden" name="start" value="' . $start . '" />'; ... ?>

$start is a variable that can be controlled by a remote user, and, as we can see, there isn't any control on she, so anyone con inject some HTML code like:


that will change the HTML line in:

<input type="hidden" name="start" value=""><script>alert(document.cookie)</script>" />

executing the <script>...</script> tag that show, in this case, the cookies. This is the complete URL: alert(document.cookie)%3C/script%3E

--) Patch

To fix the XSS bug we can use the function intval() at line 85 of calendar_scheduler.php:

<? ... if ( isset($HTTP_POST_VARS['start']) || isset($HTTP_GET_VARS['start']) ) { $start = isset($HTTP_POST_VARS['start']) ? $HTTP_POST_VARS['start'] : $HTTP_GET_VARS['start']; $start = intval($start) } ... ?>