mailing list archives
PHP-Calendar SQL Credential Disclosure
From: "Justin C. Klein Keane" <justin () madirish net>
Date: Fri, 06 Feb 2009 10:59:18 -0500
-----BEGIN PGP SIGNED MESSAGE-----
Security Risk: Moderate
Vulnerability: Information disclosure
Version: Multiple Versions
PHP-Calendar (http://www.php-calendar.com) was "written for a college
social group at Northeastern University to keep track of events, etc. We
were previously using localendar, which I (Sean Proctor) didn't like and
had some problems with. I found CST-Calendar which did most of what I
wanted, but was rather ugly and missed some features that we needed. So,
I gradually re-wrote CST-Calendar since that project seemed to have
stopped work entirely."
This vulnerability centers around the fact that PHP-Calendar comes with
update scripts to update previous versions of the software. These
scripts will print to the screen the database host, username, password,
database name, table prefix, and database type. This file is named in
two separate conventions depending on the installed version of
PHP-Calendar. In versions prior to 1.1 this file is named "update.php"
in version 1.1 two files exist named "update08.php" and "update10.php".
Calling these files via a web browser (e.x.
http://targetsite.com/phpcalendar/update.php) will print a succinct
message including the above described information.
Determinging version of PHP-Calendar is often trivial as a NEWS file is
included in every distribution that will reveal version information.
Browsing to http://targetsite.tld/phpcalendar/NEWS will display the
versioning information if that file is present. Note that several
versions of PHP-Calendar are affected by other vulnerabilities (SQL
injection - http://www.securityfocus.com/bid/13405/, remote file
inclusion - http://www.securityfocus.com/bid/12127/).
Removal of the update scripts and all other unnecessary files (AUTHORS,
COPYING, FAQ, INSTALL, NEWS, README, UPDATE) should remedy this
vulnerability. Unfortunately instructions about the removal of these
files is not included in the installation guide or the automated install
Justin C. Klein Keane
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
-----END PGP SIGNATURE-----
Full-Disclosure - We believe in it.
Hosted and sponsored by Secunia - http://secunia.com/
- PHP-Calendar SQL Credential Disclosure Justin C. Klein Keane (Feb 06)