| VID |
21865 |
| Severity |
40 |
| Port |
80, ... |
| Protocol |
TCP |
| Class |
CGI |
| Detailed Description |
The PHP iCalendar is vulnerable to a local file include vulnerability via the 'phpicalendar' cookie. PHP iCalendar is a web-based calendar viewer / parser written in PHP. PHP iCalendar version 2.21 and earlier versions could allow a remote attacker to include and execute arbitrary local files via directory traversal sequences and a NULL (%00) character in the 'phpicalendar[cookie_language]' and 'phpicalendar[cookie_style]' parameters in the 'phpicalendar' cookie. A remote attacker could exploit this flaw to view arbitrary files and possibly to execute arbitrary local files on the affected host.
* References:
http://secunia.com/advisories/19285/
http://www.milw0rm.com/exploits/1585
* Platforms Affected:
PHP iCalendar version 2.21 and earlier versions
Any operating system Any version |
| Recommendation |
No upgrade or patch available as of March 2006.
Upgrade to a version of PHP iCalendar greater than 2.21, when new fixed version becomes available from the SourceForge.net Download Web site at http://sourceforge.net/project/showfiles.php?group_id=62270 |
| Related URL |
CVE-2006-1292 (CVE) |
| Related URL |
17125 (SecurityFocus) |
| Related URL |
(ISS) |
|
