Re: WebCalendar

[Louis Wang <bill.louis () gmail com>]

Hi, Dan:

For some vulnerability has fixed by the vendor, I have update this
vulnerability advisory, sorry for any trouble I have caused to you.


The following is the updated advisory.:

===================================================
WebCalendar CRLF Injection Vulnerability

I. BACKGROUND
WebCalendar is a PHP application used to maintain a calendar for one
or more persons and for a variety of purposes.

II. DESCRIPTION
CRLF injection vulnerability in WebCalendar layers_toggle.php allows
remote attackers to inject false HTTP headers into an HTTP request,
via a URL containing encoded carriage return, line feed, and other
whitespace characters.

III. PUBLISH DATE
Publish Date: 2005-12-1
Update Date: 2005-12-2

IV. AUTHOR
lwang (lwang at lwang dot org)

V. AFFECTED SOFTWARE
WebCalendar version 1.0.1 and 1.1.0 are affected. Older versions are
not verified.

VI. ANALYSIS
in layers_toggle.php, parameter $ret does not validation.
if ( empty ( $error ) ) {
// Go back to where we where if we can figure it out.
if ( strlen ( $ret ) )
do_redirect ( $ret );
else if ( ! empty ( $HTTP_REFERER ) )
do_redirect ( $HTTP_REFERER );
else
send_to_preferred_view ();

Proof of Concept:
http://victim/webcalendar/layers_toggle.php?status=on&ret=[url_redirect_to]


VII. SOLUTION
Input validation will fix the bug.

VIII. ADVISORY
http://vd.lwang.org/webcalendar_crlf_injection.txt

VIII. REFERENCE
http://www.k5n.us/webcalendar.php






On 12/2/05, Daniel Bertrand <danb () securityfocus com> wrote:
> Hi,
>
> What is the vendor web site for this application? I need this information
> to write up this BID.
>
> Regards,
>
> Dan B.



--
Regards,
Bill Louis