PHP Event Calendar Multiple Parameter Cross Site Scripting Vulnerability OS2A ID: OS2A_1007 Status: 08/20/2006 Issue Discovered 09/06/2006 Reported to the Vendor 09/09/2006 Fixed by Vendor 09/13/2006 Advisory Released Class: Cross Site Scripting Severity: Low Overview: --------- PHP Event Calendar is a reusable PHP script that extends a web site's functionality with an event scheduler and/or news archive. http://www.softcomplex.com/products/php_event_calendar/ Description: ------------ A cross-site scripting vulnerability exists in PHP Event Calendar, due to input validation error in parameters tilte(ti), body(bi) and backgroung Image(cbgi) in cl_files/index.php page when adding a new event. Successful exploitation requires authentication. Impact: ------- An authenticated remote attacker could inject malicious HTML and script code in other user's browser session within the security context of the affected site. Affected Software(s): --------------------- PHP Event Calendar 1.5.1 (prior versions may also be vulnerable) Proof of Concept: ----------------- http://www.yoursite.com/directory_where_you_installed_php_event_calendar/cl_files/index.php Vulnerable fields: title field - ti body field - bi Backgroung Image - cbgi Insert "" in above field and click "Add event". CVSS Score Report: ----------------- ACCESS_VECTOR = REMOTE ACCESS_COMPLEXITY = LOW AUTHENTICATION = REQUIRED CONFIDENTIALITY_IMPACT = NONE INTEGRITY_IMPACT = PARTIAL AVAILABILITY_IMPACT = NONE IMPACT_BIAS = INTEGRITY EXPLOITABILITY = PROOF_OF_CONCEPT REMEDIATION_LEVEL = OFFICIAL_FIX REPORT_CONFIDENCE = CONFIRMED CVSS Base Score = 2.1 (AV:R/AC:L/Au:R/C:N/I:P/A:N/B:I) CVSS Temporal Score = 1.6 Risk factor = Low Vendor Response: --------------- "Attached is the version that blocks the use of the