Vendor: Brown Bear Software Vendor web page: http://brownbearsw.com/ Product: Calcium web calendar Product web page: http://brownbearsw.com/calcium/WhatIsIt.html Vendor's Product Description: Calcium is a Web Calendar application. It will run on nearly any machine with a web server that can run Perl CGI scripts; a web browser is all you need to view, edit, and manage any number of calendars from any network connected computer. All administration is done with your browser - after installation, there's no need to log in to the web server. Vulnerability class: Cross-Site Scripting Severity: Medium Vulnerability details: Calcium web calendar is vulnerable to "reflected" (type 1) cross-site scripting (XSS). For a discussion of the various types of XSS, and XSS in general, see http://en.wikipedia.org/wiki/Cross_Site_Scripting Proof of concept, version 4.0.4: https://[yourserver]/cgi-bin/Calcium40.pl?Op=ShowIt&CalendarName=XSS_%3Cbody%20onload=alert(document.cookie)%3E_here Impact: Attacker could impersonate victim to do any activity the victim is authorized to do through a compromised web site, for example, initiate funds transfers or access private data. Under some circumstances the existence of this vulnerability in one web site could be used to attack other web sites in the same DNS domain. For example, if host "a.example.com" shares cookies with host "b.example.com" and "b" is vulnerable, "b" can be used to attack "a". Versions tested: Calcium 4.0.4 Vulnerable Calcium 3.10 Vulnerable Potential victims: 1. User web client with scripting languages enabled. 2. Web server hosting unpatched software. 3. Other web servers on the same DNS domain. Workarounds: 1. Victim web client may disable scripting languages. 2. Vulnerable web site may temporarily shut down until patch can be applied. 3. Exposed web sites sharing the same DNS domain should not share authentication cookies with vulnerable site. Researcher's quick patch for version 4.0.4: Until vendor patch is received, this may help. Use at your own risk. In file cgi-bin/CalciumDir40/Calendar/Database.pm 72c72 < die "Bad Calendar or Database name! '$dbName' \n" --- > die "Bad Calendar or Database name!\n" Vendor response: Vendor provided a patch by email. Local access to victim computer required: NO. Victim user assistance required: YES. For example, victim can be enticed to visit a malicious web page or open a malicious email. Authentication required: NO. Attack can be carried out by an unauthenticated attacker against an unauthenticated victim. However, if the victim has authenticated to a web site, the attacker may be able to steal the victim's authentication credentials and use them to access the victim's private information and/or complete any action that the victim is authorized to perform on that web site, or on other web sites in the same DNS domain that share authentication cookies. Disclosure Timeline: 2008-05-13 Vulnerability discovered. 2008-05-14 Vendor notified. 2008-05-14 Initial vendor response. 2008-05-22 Vendor provided patch for version 4.0.4. 2008-05-23 Vendor provided patch for version 3.10. 2008-05-28 Vendor commented on draft of this disclosure. 2008-05-28 Public disclosure. Disclaimer: All information is thought to be correct as of the time of disclosure, however, this information is provided without any assurance as to its accuracy or reliability. The purpose of this disclosure is to alert users who may be at risk, and empower them to test their own systems, with the goal of improving Internet security for all. It may be illegal to use this information to test systems you do not own. You are responsible for what you do with this information. No one else accepts liability for what you do. Credit: Discovered by Marvin Simkin. About the author: Marvin Simkin was one of several security researchers to independently discover "reflected" (type 1) XSS and participate in responsible disclosure in 1999. At the time of discovery, available statistics suggested that at least 95% of all web sites on the Internet were vulnerable. ------------------------------------- Marvin Simkin Manager of Information Technology School of Earth and Space Exploration Arizona State University http://simkin.asu.edu/