vendor:
WebCalendar
by:
Egidio Romano aka EgiX
9.8
CVSS
CRITICAL
Remote Code Execution
78
CWE
Product Name: WebCalendar
Affected Version From: 1.2.2000
Affected Version To: 1.2.2004
Patch Exists: NO
Related CWE: CVE-2012-1495
CPE: a:webcalendar:webcalendar:1.2.4
Platforms Tested:
2012
WebCalendar <= 1.2.4 Remote Code Execution Exploit
The WebCalendar <= 1.2.4 is vulnerable to remote code execution. The vulnerability exists in the /install/index.php file (CVE-2012-1495). The code at line 726 attempts to open a file for writing, but does not check if the file handle is empty. This allows an attacker to write arbitrary PHP code to the file, resulting in remote code execution.
Mitigation:
To mitigate this vulnerability, it is recommended to update to a version of WebCalendar that is not affected by this issue. Additionally, ensure that file permissions are set correctly to prevent unauthorized modification of files.
