| VID |
21897 |
| Severity |
20 |
| Port |
80, ... |
| Protocol |
TCP |
| Class |
CGI |
| Detailed Description |
The WebCalendar program is vulnerable to a user account enumeration vulnerability. WebCalendar is a graphical PHP application used to maintain a calendar for a single user or an intranet group of users. WebCalendar versions 1.0.1, 1.0.2 and 1.0.3 have an information disclosure issue. The problem is that different error messages are returned depending on whether an unsuccessful login attempt is performed with a valid or invalid username in the login page. Once a valid username is discovered, a remote attacker may use brute force techniques to gain access to the WebCalendar application.
* References:
http://www.securityfocus.com/archive/1/433053/30/0/threaded
http://www.securityfocus.com/archive/1/433077/100/0/threaded
http://lists.grok.org.uk/pipermail/full-disclosure/2006-May/045758.html
http://secunia.com/advisories/19974
http://secunia.com/advisories/20108
* Platforms Affected:
Craig Knudsen, WebCalendar 1.0.1
Craig Knudsen, WebCalendar 1.0.2
Craig Knudsen, WebCalendar 1.0.3
Any operating system Any version |
| Recommendation |
No upgrade or patch available as of May 2006.
Upgrade to the latest version of WebCalendar (1.1 or later), when new fixed version becomes available from the WebCalendar Download Web page at http://www.k5n.us/webcalendar.php?topic=Download |
| Related URL |
CVE-2006-2247 (CVE) |
| Related URL |
17853 (SecurityFocus) |
| Related URL |
26262 (ISS) |
|
