Vulnerabilities > CVE-2005-3949 - SQL Injection vulnerability in Webcalendar 1.0.1

047910
CVSS 7.5 - HIGH
Attack vector
NETWORK
Attack complexity
LOW
Privileges required
NONE
Confidentiality impact
PARTIAL
Integrity impact
PARTIAL
Availability impact
PARTIAL
network
low complexity
webcalendar
nessus

Summary

Multiple SQL injection vulnerabilities in WebCalendar 1.0.1 allow remote attackers to execute arbitrary SQL commands via the (1) startid parameter to activity_log.php, (2) startid parameter to admin_handler.php, (3) template parameter to edit_template.php, and (4) multiple parameters to export_handler.php.

Vulnerable Configurations

Part Description Count
Application
Webcalendar
1

Nessus

  • NASL familyCGI abuses
    NASL idWEBCALENDAR_102.NASL
    descriptionThe remote version of WebCalendar does not validate input to the
    last seen2020-06-01
    modified2020-06-02
    plugin id20250
    published2005-12-02
    reporterThis script is Copyright (C) 2005-2018 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/20250
    titleWebCalendar < 1.0.2 Multiple Vulnerabilities
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    
    include("compat.inc");
    
    if (description) {
      script_id(20250);
      script_version("1.21");
    
      script_cve_id("CVE-2005-3949", "CVE-2005-3961", "CVE-2005-3982", "CVE-2005-3982");
      script_bugtraq_id(15606, 15608, 15662, 15673);
    
      script_name(english:"WebCalendar < 1.0.2 Multiple Vulnerabilities");
      script_summary(english:"Checks for multiple vulnerabilities in WebCalendar < 1.0.2");
     
     script_set_attribute(attribute:"synopsis", value:
    "The remote web server has a PHP application that is affected by
    multiple vulnerabilities." );
     script_set_attribute(attribute:"description", value:
    "The remote version of WebCalendar does not validate input to the 'id'
    and 'format' parameters of the 'export_handler.php' script before
    using it to overwrite files on the remote host, subject to the
    privileges of the web server user id. 
    
    In addition, the 'activity_log.php', 'admin_handler.php',
    'edit_report_handler.php', 'edit_template.php' and
    'export_handler.php' scripts are prone to SQL injection attacks and
    the 'layers_toggle.php' script is prone to HTTP response splitting
    attacks." );
     script_set_attribute(attribute:"see_also", value:"http://www.ush.it/2005/11/28/webcalendar-multiple-vulnerabilities/" );
     script_set_attribute(attribute:"see_also", value:"https://www.securityfocus.com/archive/1/418286/30/0/threaded" );
     script_set_attribute(attribute:"see_also", value:"https://sourceforge.net/tracker/index.php?func=detail&aid=1369439&group_id=3870&atid=303870" );
     script_set_attribute(attribute:"solution", value:
    "Upgrade to WebCalendar 1.0.2 or later." );
     script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P");
     script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C");
     script_set_attribute(attribute:"exploitability_ease", value:"No exploit is required");
     script_set_attribute(attribute:"exploit_available", value:"false");
     script_set_attribute(attribute:"plugin_publication_date", value: "2005/12/02");
     script_set_attribute(attribute:"vuln_publication_date", value: "2005/11/28");
     script_cvs_date("Date: 2018/11/15 20:50:19");
    script_set_attribute(attribute:"plugin_type", value:"remote");
    script_end_attributes();
    
    
      script_category(ACT_ATTACK);
      script_family(english:"CGI abuses");
    
      script_copyright(english:"This script is Copyright (C) 2005-2018 Tenable Network Security, Inc.");
    
      script_dependencies("webcalendar_detect.nasl");
      script_exclude_keys("Settings/disable_cgi_scanning");
      script_require_ports("Services/www", 80);
      script_require_keys("www/PHP");
      exit(0);
    }
    
    
    include("global_settings.inc");
    include("misc_func.inc");
    include("http.inc");
    
    
    port = get_http_port(default:80);
    if (!can_host_php(port:port)) exit(0);
    
    
    # Test an install.
    #
    # nb: this requires the application be configured to allow public access.
    install = get_kb_item(string("www/", port, "/webcalendar"));
    if (isnull(install)) exit(0);
    matches = eregmatch(string:install, pattern:"^(.+) under (/.*)$");
    if (!isnull(matches)) {
      dir = matches[2];
    
      # Make sure one of the affected scripts exists.
      w = http_send_recv3(method:"GET",item:string(dir, "/export_handler.php"), port:port);
      if (isnull(w)) exit(0);
      res = w[2];
    
      # If it does...
      #
      # nb: this appears in the case of an export error.
      if ('<span style="font-weight:bold;"' >< res) {
        # Pass a non-integer value for year; in a patched / fixed version
        # we'll get an error; otherwise, we'll get a calendar export.
        postdata = string(
          "format=ical&",
          "fromyear=nessus"
        );
        w = http_send_recv3(method:"POST", port: port,
          item: dir+"/export_handler.php?plugin="+SCRIPT_NAME,
          content_type: "application/x-www-form-urlencoded",
          data: postdata);
        if (isnull(w)) exit(0);
        res = strcat(w[0], w[1], '\r\n', w[2]);
    
        # There's a problem if we're able to export the calendar.
        if ("Content-Type: text/calendar" >< res) {
          security_hole(port);
          set_kb_item(name: 'www/'+port+'/SQLInjection', value: TRUE);
        }
      }
    }
    
  • NASL familyDebian Local Security Checks
    NASL idDEBIAN_DSA-1002.NASL
    descriptionSeveral security related problems have been discovered in webcalendar, a PHP based multi-user calendar. The Common Vulnerabilities and Exposures project identifies the following vulnerabilities : - CVE-2005-3949 Multiple SQL injection vulnerabilities allow remote attackers to execute arbitrary SQL commands. - CVE-2005-3961 Missing input sanitising allows an attacker to overwrite local files. - CVE-2005-3982 A CRLF injection vulnerability allows remote attackers to modify HTTP headers and conduct HTTP response splitting attacks.
    last seen2020-06-01
    modified2020-06-02
    plugin id22544
    published2006-10-14
    reporterThis script is Copyright (C) 2006-2019 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/22544
    titleDebian DSA-1002-1 : webcalendar - several vulnerabilities
    code
    #%NASL_MIN_LEVEL 80502
    
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were  
    # extracted from Debian Security Advisory DSA-1002. The text 
    # itself is copyright (C) Software in the Public Interest, Inc.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(22544);
      script_version("1.18");
      script_cvs_date("Date: 2019/08/02 13:32:19");
    
      script_cve_id("CVE-2005-3949", "CVE-2005-3961", "CVE-2005-3982");
      script_bugtraq_id(15606, 15608, 15662, 15673);
      script_xref(name:"DSA", value:"1002");
    
      script_name(english:"Debian DSA-1002-1 : webcalendar - several vulnerabilities");
      script_summary(english:"Checks dpkg output for the updated package");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:"The remote Debian host is missing a security-related update."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "Several security related problems have been discovered in webcalendar,
    a PHP based multi-user calendar. The Common Vulnerabilities and
    Exposures project identifies the following vulnerabilities :
    
      - CVE-2005-3949
        Multiple SQL injection vulnerabilities allow remote
        attackers to execute arbitrary SQL commands.
    
      - CVE-2005-3961
        Missing input sanitising allows an attacker to overwrite
        local files.
    
      - CVE-2005-3982
        A CRLF injection vulnerability allows remote attackers
        to modify HTTP headers and conduct HTTP response
        splitting attacks."
      );
      script_set_attribute(
        attribute:"see_also",
        value:"http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=341208"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=342090"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://security-tracker.debian.org/tracker/CVE-2005-3949"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://security-tracker.debian.org/tracker/CVE-2005-3961"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://security-tracker.debian.org/tracker/CVE-2005-3982"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"http://www.debian.org/security/2006/dsa-1002"
      );
      script_set_attribute(
        attribute:"solution", 
        value:
    "Upgrade the webcalendar package.
    
    The old stable distribution (woody) does not contain webcalendar
    packages.
    
    For the stable distribution (sarge) these problems have been fixed in
    version 0.9.45-4sarge3."
      );
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P");
      script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C");
      script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
      script_set_attribute(attribute:"exploit_available", value:"true");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:webcalendar");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:debian:debian_linux:3.1");
    
      script_set_attribute(attribute:"patch_publication_date", value:"2006/03/15");
      script_set_attribute(attribute:"plugin_publication_date", value:"2006/10/14");
      script_set_attribute(attribute:"vuln_publication_date", value:"2005/11/28");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2006-2019 Tenable Network Security, Inc.");
      script_family(english:"Debian Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/Debian/release", "Host/Debian/dpkg-l");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("debian_package.inc");
    
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    if (!get_kb_item("Host/Debian/release")) audit(AUDIT_OS_NOT, "Debian");
    if (!get_kb_item("Host/Debian/dpkg-l")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    
    flag = 0;
    if (deb_check(release:"3.1", prefix:"webcalendar", reference:"0.9.45-4sarge3")) flag++;
    
    if (flag)
    {
      if (report_verbosity > 0) security_hole(port:0, extra:deb_report_get());
      else security_hole(0);
      exit(0);
    }
    else audit(AUDIT_HOST_NOT, "affected");