| VID |
21634 |
| Severity |
30 |
| Port |
80, ... |
| Protocol |
TCP |
| Class |
CGI |
| Detailed Description |
The WebCalendar program is vulnerable to an unauthorized access vulnerability in the assistant_edit.php script. WebCalendar is a graphical PHP application used to maintain a calendar for a single user or an intranet group of users. WebCalendar versions prior to 1.0.0 allow a remote attacker to access the assistant_edit.php script directly without proper permissions. A remote attacker could access the assistant_edit.php script directly to change assistants and to display all users in the system even when the 'Public access can view other users' setting has been disabled.
* References:
http://secunia.com/advisories/15788/
* Platforms Affected:
Craig Knudsen, WebCalendar 1.0 RC2
Craig Knudsen, WebCalendar 1.0 RC1
Craig Knudsen, WebCalendar 0.9.x
Linux Any version
Unix Any version |
| Recommendation |
Upgrade to the latest version of WebCalendar (1.0.0 or later), available from the WebCalendar Download Web page at http://www.k5n.us/webcalendar.php?topic=Download |
| Related URL |
CVE-2005-2320 (CVE) |
| Related URL |
14072 (SecurityFocus) |
| Related URL |
21155 (ISS) |
|
