| VID |
21786 |
| Severity |
40 |
| Port |
80, ... |
| Protocol |
TCP |
| Class |
CGI |
| Detailed Description |
The WebCalendar program is vulnerable to multiple remote vulnerabilities which exist in versions prior to 1.0.2. WebCalendar is a graphical PHP application used to maintain a calendar for a single user or an intranet group of users. WebCalendar versions prior to 1.0.2 are vulnerable to four SQL Injection vulnerabilities (files activity_log.php, admin_handler.php, edit_template.php and export_handler.php) and one local file overwrite vulnerability (export_handler.php). In addition, the 'layers_toggle.php' script is prone to HTTP response splitting attacks.
* References:
http://www.ush.it/2005/11/28/webcalendar-multiple-vulnerabilities/
http://www.securityfocus.com/archive/1/418286/30/0/threaded
https://sourceforge.net/tracker/index.php?func=detail&aid=1369439&group_id=3870&atid=303870
http://secunia.com/advisories/17848/
* Platform Affected:
Craig Knudsen, WebCalendar versions prior to 1.0.2
Any operating system Any version |
| Recommendation |
Upgrade to the latest version of WebCalendar (1.0.2 or later), available from the WebCalendar Download Web page at http://www.k5n.us/webcalendar.php?topic=Download |
| Related URL |
CVE-2005-3949,CVE-2005-3982,CVE-2005-3984 (CVE) |
| Related URL |
15606,15608,15662,15673 (SecurityFocus) |
| Related URL |
23476 (ISS) |
|
