CalendarScript Discloses Installation Path and Debug Information to Remote Users and Permits Cross-Site Scripting Attacks
|
|
SecurityTracker Alert ID: 1013705
|
|
SecurityTracker URL: http://securitytracker.com/id?1013705
|
|
CVE Reference: GENERIC-MAP-NOMATCH
(Links to External Site)
|
Date: Apr 14 2005
|
Impact: Disclosure of authentication information, Disclosure of system information, Disclosure of user information, Execution of arbitrary code via network, Modification of user information
|
Exploit Included: Yes
|
Version(s): 3.20, 3.21
|
Description: sNKenjoi reported several vulnerabilities in CalendarScript. A remote user can determine the installation path. A remote user can conduct cross-site scripting attacks. A remote user can also view debug information.
The 'calendar.pl' script does not properly validate user-supplied input. A remote user can create a specially crafted URL that,
when loaded by a target user, will cause arbitrary scripting code to be executed by the target user's browser. The code will originate
from the site running the CalendarScript software and will run in the security context of that site. As a result, the code will
be able to access the target user's cookies (including authentication cookies), if any, associated with the site, access data recently
submitted by the target user via web form to the site, or take actions on the site acting as the target user.
A demonstration
exploit URL is provided:
http://[target]/cgi-bin/calendar/calendar.pl?calendar=[valid calender]&template=[XSS]
This type of
URL will also cause the system to disclose the installation path.
A remote user can also supply an invalid calendar name to determine
the installation path.
Version 3.20 is affected.
In version 3.21, a remote user can supply the following type of URL to cause
the system to disclose the installation path as well as some debug information:
http://[target]/cgi-bin/calendar/calendar.pl?calendar=[valid
calender]&year=f00b4r
http://[target]/cgi-bin/calendar/calendar.pl?calendar=[valid calender]&month=f00b4r
Also in version 3.21,
the 'username' parameter is not filtered to remove HTML code. A demonstration exploit URL is provided:
http://[target]/cgi-bin/calendar/calendar.pl?calendar=[valid
calender]&command=login&username=[XSS]&template=login.htm
The original advisory is available at:
http://www.snkenjoi.com/secadv/secadv3.txt
|
Impact: A remote user can access the target user's cookies (including authentication cookies), if any, associated with the site running the
CalendarScript software, access data recently submitted by the target user via web form to the site, or take actions on the site
acting as the target user.
A remote user can determine the installation path.
A remote user can view debug information.
|
Solution: No solution was available at the time of this entry.
|
Vendor URL: www.calendarscript.com/ (Links to External Site)
|
Cause: Access control error, Input validation error
|
Underlying OS: Linux (Any), UNIX (Any), Windows (Any)
|
Reported By: Thom <snkenjoi@gmail.com>
|
Message History:
None.
|
Source Message Contents
|
Date: Tue, 12 Apr 2005 17:36:11 +0000
From: Thom <snkenjoi@gmail.com>
Subject: 4 new security advisorys
|
http://www.snkenjoi.com/secadv/secadv1.txt
http://www.snkenjoi.com/secadv/secadv2.txt
http://www.snkenjoi.com/secadv/secadv3.txt
http://www.snkenjoi.com/secadv/secadv4.txt
--
snkenjoi.com
|
|
