Home page logo
/

bugtraq logo Bugtraq mailing list archives

Re: WebCalendar
From: Louis Wang <bill.louis () gmail com>
Date: Sat, 3 Dec 2005 09:52:46 +0800

Hi, Dan:

For some vulnerability has fixed by the vendor, I have update this
vulnerability advisory, sorry for any trouble I have caused to you.


The following is the updated advisory.:

===================================================
WebCalendar CRLF Injection Vulnerability

I. BACKGROUND
WebCalendar is a PHP application used to maintain a calendar for one
or more persons and for a variety of purposes.

II. DESCRIPTION
CRLF injection vulnerability in WebCalendar layers_toggle.php allows
remote attackers to inject false HTTP headers into an HTTP request,
via a URL containing encoded carriage return, line feed, and other
whitespace characters.

III. PUBLISH DATE
Publish Date: 2005-12-1
Update Date: 2005-12-2

IV. AUTHOR
lwang (lwang at lwang dot org)

V. AFFECTED SOFTWARE
WebCalendar version 1.0.1 and 1.1.0 are affected. Older versions are
not verified.

VI. ANALYSIS
in layers_toggle.php, parameter $ret does not validation.
if ( empty ( $error ) ) {
// Go back to where we where if we can figure it out.
if ( strlen ( $ret ) )
do_redirect ( $ret );
else if ( ! empty ( $HTTP_REFERER ) )
do_redirect ( $HTTP_REFERER );
else
send_to_preferred_view ();

Proof of Concept:
http://victim/webcalendar/layers_toggle.php?status=on&ret=[url_redirect_to]


VII. SOLUTION
Input validation will fix the bug.

VIII. ADVISORY
http://vd.lwang.org/webcalendar_crlf_injection.txt

VIII. REFERENCE
http://www.k5n.us/webcalendar.php






On 12/2/05, Daniel Bertrand <danb () securityfocus com> wrote:

Hi,

What is the vendor web site for this application? I need this information
to write up this BID.

Regards,

Dan B.







--
Regards,
Bill Louis


  By Date           By Thread  

Current thread:
  • Re: WebCalendar Louis Wang (Dec 03)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]