[UNIX] phpEventCalendar HTML Injection

From: SecuriTeam (support_at_securiteam.com)
Date: 01/31/05 

To: list@securiteam.com
Date: 31 Jan 2005 09:53:59 +0200

The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

The SecuriTeam alerts list - Free, Accurate, Independent.

Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html

- - - - - - - - -

  phpEventCalendar HTML Injection
------------------------------------------------------------------------

SUMMARY

 <http://www.ikemcg.com/scripts/pec/index.html> phpEventCalendar is "a
MySQL backed application that allows users to post and display events or
notes on a month-at-a-glance calendar. A user administration panel allows
authorized users (Administrators) to control who can add, delete, and edit
events (Editors)".

phpEventCalendar doesn't check the title and/or text of events inserted in
the database, so we can inject arbitrary HTML and/or JavaScript that will
be executed by other users.

DETAILS

Vulnerable Systems:
 * phpEventCalendar version 0.2 or prior

Immune Systems:
 * phpEventCalendar version 0.2.1 or newer

When inserting a new event into the system, phpEventCalendar doesn't check
the values of title and text variables, it only escapes it when necessary
to avoid SQL injection. These variables will be later retrieved by other
user viewing the calendar and showed with strip_slashes so we can write
arbitrary HTML (or JavaScript) that will be executed by other users when
they look at the calendar (if inserted in title, but take care there's a
limit in the length of the title shown in the calendar) or when they look
at the individual entry.

Example:
Insert an event with text: <script>alert(document.cookie);</script>

Timeline:
07/01/2005 - Vulnerability found
07/01/2005 - Vendor contacted
08/01/2005 - Vendor replied confirming bug
18/01/2005 - New version released
25/01/2005 - Advisory released

ADDITIONAL INFORMATION

The information has been provided by <mailto:madelman@iname.com>
Madelman.

========================================

This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

====================
====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

Relevant Pages