| VID |
21784 |
| Severity |
40 |
| Port |
80, ... |
| Protocol |
TCP |
| Class |
CGI |
| Detailed Description |
The WebCalendar program is vulnerable to multiple remote file include vulnerabilities in the 'includedir' parameter. WebCalendar is a graphical PHP application used to maintain a calendar for a single user or an intranet group of users. WebCalendar versions prior to 1.0.1 could allow a remote attacker to include malicious files, caused by improper filtering of user-supplied input passed to the 'includedir' parameter of the 'function.php' script and 'send_reminders.php' script. These vulnerabilities could permit a remote attacker to execute arbitrary PHP script code and operating system commands on the affected system in the security context of the Web server process.
* References:
http://www.debian.org/security/2005/dsa-799
http://www.securitytracker.com/alerts/2005/Sep/1014849.html
http://www.frsirt.com/english/advisories/2005/1513
http://secunia.com/advisories/16528/
* Platform Affected:
Craig Knudsen, WebCalendar versions prior to 1.0.1
Any operating system Any version |
| Recommendation |
Upgrade to the latest version of WebCalendar (1.0.1 or later), available from the WebCalendar Download Web page at http://www.k5n.us/webcalendar.php?topic=Download |
| Related URL |
CVE-2005-2717 (CVE) |
| Related URL |
14651 (SecurityFocus) |
| Related URL |
22136 (ISS) |
|
