Bugtraq mailing list archives
Re: WebCalendar
From: Louis Wang <bill.louis () gmail com>
Date: Sat, 3 Dec 2005 09:52:46 +0800
Hi, Dan: For some vulnerability has fixed by the vendor, I have update this vulnerability advisory, sorry for any trouble I have caused to you. The following is the updated advisory.: =================================================== WebCalendar CRLF Injection Vulnerability I. BACKGROUND WebCalendar is a PHP application used to maintain a calendar for one or more persons and for a variety of purposes. II. DESCRIPTION CRLF injection vulnerability in WebCalendar layers_toggle.php allows remote attackers to inject false HTTP headers into an HTTP request, via a URL containing encoded carriage return, line feed, and other whitespace characters. III. PUBLISH DATE Publish Date: 2005-12-1 Update Date: 2005-12-2 IV. AUTHOR lwang (lwang at lwang dot org) V. AFFECTED SOFTWARE WebCalendar version 1.0.1 and 1.1.0 are affected. Older versions are not verified. VI. ANALYSIS in layers_toggle.php, parameter $ret does not validation. if ( empty ( $error ) ) { // Go back to where we where if we can figure it out. if ( strlen ( $ret ) ) do_redirect ( $ret ); else if ( ! empty ( $HTTP_REFERER ) ) do_redirect ( $HTTP_REFERER ); else send_to_preferred_view (); Proof of Concept: http://victim/webcalendar/layers_toggle.php?status=on&ret=[url_redirect_to] VII. SOLUTION Input validation will fix the bug. VIII. ADVISORY http://vd.lwang.org/webcalendar_crlf_injection.txt VIII. REFERENCE http://www.k5n.us/webcalendar.php On 12/2/05, Daniel Bertrand <danb () securityfocus com> wrote:
Hi, What is the vendor web site for this application? I need this information to write up this BID. Regards, Dan B.
-- Regards, Bill Louis
Current thread:
- Re: WebCalendar Louis Wang (Dec 03)