PHPMyAgenda Agenda.PHP3 Remote File Include Vulnerability

Bugtraq ID:	17670
Class:	Input Validation Error
CVE:
Remote:	Yes
Local:	No
Published:	Apr 24 2006 12:00AM
Updated:	May 17 2006 04:04PM
Credit:	Aesthetico is credited with the discovery of this vulnerability.
Vulnerable:	phpMyAgenda phpMyAgenda 3.0 Final
Not Vulnerable:	phpMyAgenda phpMyAgenda 3.1. Beta 1

PHPMyAgenda Agenda.PHP3 Remote File Include Vulnerability

phpMyAgenda is prone to a remote file-include vulnerability. This issue is due to a failure in the application to properly sanitize user-supplied input.

An attacker can exploit this issue to include an arbitrary remote file containing malicious PHP code and execute it in the context of the webserver process. This may allow the attacker to compromise the application and the underlying system; other attacks are also possible.

phpMyAgenda 3.0 Final and prior versions are affected.

PHPMyAgenda Agenda.PHP3 Remote File Include Vulnerability


This issue can be exploited through a web client.

A proof of concept is available.

• /data/vulnerabilities/exploits/phpMyAgenda_fi.txt

PHPMyAgenda Agenda.PHP3 Remote File Include Vulnerability

Solution:
The vendor has release version 3.1 Beta 1 to address this issue.

PHPMyAgenda Agenda.PHP3 Remote File Include Vulnerability

References:

• phpMyAgenda Homepage (phpMyAgenda )
  
• [MajorSecurity] phpMyAgenda 3.0 Final - Remote File Include ([email protected])
  
• tyree[at]users.sourceforge.net ([email protected])