| VID |
21998 |
| Severity |
40 |
| Port |
80, ... |
| Protocol |
TCP |
| Class |
CGI |
| Detailed Description |
The WebCalendar program is vulnerable to the 'noSet' variable overwriting vulnerability. WebCalendar is a graphical PHP application used to maintain a calendar for a single user or an intranet group of users. WebCalendar version 1.0.4 and earlier versions could allow a remote attacker to overwrite variables, caused by improper validation of user-supplied input passed to unspecified parameters prior to being used with the noSet variable set. By overwriting system variables with arbitrary input, the attacker could perform cross-site scripting, SQL-injection, remote PHP file include, and other attacks.
* References:
http://sourceforge.net/project/shownotes.php?release_id=491130
http://secunia.com/advisories/24403/
* Platforms Affected:
Open Source Technology Group, WebCalendar version 1.0.4 and earlier versions
Any operating system Any version |
| Recommendation |
Upgrade to the latest version of WebCalendar (1.0.5 or later), available from the WebCalendar Download Web page at http://www.k5n.us/webcalendar.php?topic=Download |
| Related URL |
CVE-2007-1343 (CVE) |
| Related URL |
22834 (SecurityFocus) |
| Related URL |
32832 (ISS) |
|
