| VID |
21395 |
| Severity |
30 |
| Port |
80, ... |
| Protocol |
TCP |
| Class |
CGI |
| Detailed Description |
The WebCalendar program is vulnerable to a directory traversal vulnerability.
WebCalendar is a graphical PHP application used to maintain a calendar for a single user or an intranet group of users. WebCalendar versions 0.9.41 and earlier could allow a remote attacker to traverse directories on the Web server. A remote attacker could send a "login.php" request containing "dot dot" sequences (../) as the value for the 'user_inc' variable to traverse directories and view files outside of the Web root directory.
* References:
http://www.securiteam.com/unixfocus/5ZP0K00ALY.html
* Platforms Affected:
Craig Knudsen, WebCalendar 0.9.41 and earlier
Linux Any version
Microsoft Windows Any version
Unix Any version |
| Recommendation |
Upgrade to the latest version of WebCalendar (0.9.42 or later), available from the SourceForge Web site http://sourceforge.net/projects/webcalendar/ |
| Related URL |
(CVE) |
| Related URL |
8237 (SecurityFocus) |
| Related URL |
12664 (ISS) |
|
