| VID |
21850 |
| Severity |
40 |
| Port |
80, ... |
| Protocol |
TCP |
| Class |
CGI |
| Detailed Description |
The PHP iCalendar is vulnerable to multiple remote file include vulnerabilities which exist in versions prior to 2.21. PHP iCalendar is a web-based calendar viewer / parser written in PHP. PHP iCalendar versions 2.0.1, 2.1, and 2.2 could allow a remote attacker to include malicious PHP files, caused by improper validation of user-supplied input passed to the "file" parameter of "functions/template.php" script and the "getdate" parameter of the "search.php" script. A remote attacker can send a specially-crafted URL request to execute arbitrary PHP code and operating system commands on the affected host.
* References:
http://evuln.com/vulns/70/summary.html
http://dimer.tamu.edu/phpicalendar.net/forums/viewtopic.php?p=1869#1869
http://www.securityfocus.com/archive/1/archive/1/424424/100/0/threaded
http://www.frsirt.com/english/advisories/2006/0493
http://secunia.com/advisories/18778
* Platforms Affected:
PHP iCalendar versions 2.0.1, 2.1, and 2.2
Any operating system Any version |
| Recommendation |
Upgrade to the latest version of PHP iCalendar (2.21 or later), available from the SourceForge.net Download Web site at http://sourceforge.net/project/showfiles.php?group_id=62270 |
| Related URL |
CVE-2006-0648 (CVE) |
| Related URL |
16557 (SecurityFocus) |
| Related URL |
24591 (ISS) |
|
