Vulnerabilities > CVE-2005-3961 - File Corruption vulnerability in Webcalendar 1.0.1
Attack vector
NETWORK Attack complexity
LOW Privileges required
NONE Confidentiality impact
NONE Integrity impact
PARTIAL Availability impact
NONE Summary
export_handler.php in WebCalendar 1.0.1 allows remote attackers to overwrite WebCalendar data files via a modified id parameter.
Vulnerable Configurations
| Part | Description | Count |
|---|---|---|
| Application | 1 |
Nessus
NASL family CGI abuses NASL id WEBCALENDAR_102.NASL description The remote version of WebCalendar does not validate input to the last seen 2020-06-01 modified 2020-06-02 plugin id 20250 published 2005-12-02 reporter This script is Copyright (C) 2005-2018 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/20250 title WebCalendar < 1.0.2 Multiple Vulnerabilities code # # (C) Tenable Network Security, Inc. # include("compat.inc"); if (description) { script_id(20250); script_version("1.21"); script_cve_id("CVE-2005-3949", "CVE-2005-3961", "CVE-2005-3982", "CVE-2005-3982"); script_bugtraq_id(15606, 15608, 15662, 15673); script_name(english:"WebCalendar < 1.0.2 Multiple Vulnerabilities"); script_summary(english:"Checks for multiple vulnerabilities in WebCalendar < 1.0.2"); script_set_attribute(attribute:"synopsis", value: "The remote web server has a PHP application that is affected by multiple vulnerabilities." ); script_set_attribute(attribute:"description", value: "The remote version of WebCalendar does not validate input to the 'id' and 'format' parameters of the 'export_handler.php' script before using it to overwrite files on the remote host, subject to the privileges of the web server user id. In addition, the 'activity_log.php', 'admin_handler.php', 'edit_report_handler.php', 'edit_template.php' and 'export_handler.php' scripts are prone to SQL injection attacks and the 'layers_toggle.php' script is prone to HTTP response splitting attacks." ); script_set_attribute(attribute:"see_also", value:"http://www.ush.it/2005/11/28/webcalendar-multiple-vulnerabilities/" ); script_set_attribute(attribute:"see_also", value:"https://www.securityfocus.com/archive/1/418286/30/0/threaded" ); script_set_attribute(attribute:"see_also", value:"https://sourceforge.net/tracker/index.php?func=detail&aid=1369439&group_id=3870&atid=303870" ); script_set_attribute(attribute:"solution", value: "Upgrade to WebCalendar 1.0.2 or later." ); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P"); script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"No exploit is required"); script_set_attribute(attribute:"exploit_available", value:"false"); script_set_attribute(attribute:"plugin_publication_date", value: "2005/12/02"); script_set_attribute(attribute:"vuln_publication_date", value: "2005/11/28"); script_cvs_date("Date: 2018/11/15 20:50:19"); script_set_attribute(attribute:"plugin_type", value:"remote"); script_end_attributes(); script_category(ACT_ATTACK); script_family(english:"CGI abuses"); script_copyright(english:"This script is Copyright (C) 2005-2018 Tenable Network Security, Inc."); script_dependencies("webcalendar_detect.nasl"); script_exclude_keys("Settings/disable_cgi_scanning"); script_require_ports("Services/www", 80); script_require_keys("www/PHP"); exit(0); } include("global_settings.inc"); include("misc_func.inc"); include("http.inc"); port = get_http_port(default:80); if (!can_host_php(port:port)) exit(0); # Test an install. # # nb: this requires the application be configured to allow public access. install = get_kb_item(string("www/", port, "/webcalendar")); if (isnull(install)) exit(0); matches = eregmatch(string:install, pattern:"^(.+) under (/.*)$"); if (!isnull(matches)) { dir = matches[2]; # Make sure one of the affected scripts exists. w = http_send_recv3(method:"GET",item:string(dir, "/export_handler.php"), port:port); if (isnull(w)) exit(0); res = w[2]; # If it does... # # nb: this appears in the case of an export error. if ('<span style="font-weight:bold;"' >< res) { # Pass a non-integer value for year; in a patched / fixed version # we'll get an error; otherwise, we'll get a calendar export. postdata = string( "format=ical&", "fromyear=nessus" ); w = http_send_recv3(method:"POST", port: port, item: dir+"/export_handler.php?plugin="+SCRIPT_NAME, content_type: "application/x-www-form-urlencoded", data: postdata); if (isnull(w)) exit(0); res = strcat(w[0], w[1], '\r\n', w[2]); # There's a problem if we're able to export the calendar. if ("Content-Type: text/calendar" >< res) { security_hole(port); set_kb_item(name: 'www/'+port+'/SQLInjection', value: TRUE); } } }NASL family Debian Local Security Checks NASL id DEBIAN_DSA-1002.NASL description Several security related problems have been discovered in webcalendar, a PHP based multi-user calendar. The Common Vulnerabilities and Exposures project identifies the following vulnerabilities : - CVE-2005-3949 Multiple SQL injection vulnerabilities allow remote attackers to execute arbitrary SQL commands. - CVE-2005-3961 Missing input sanitising allows an attacker to overwrite local files. - CVE-2005-3982 A CRLF injection vulnerability allows remote attackers to modify HTTP headers and conduct HTTP response splitting attacks. last seen 2020-06-01 modified 2020-06-02 plugin id 22544 published 2006-10-14 reporter This script is Copyright (C) 2006-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/22544 title Debian DSA-1002-1 : webcalendar - several vulnerabilities code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Debian Security Advisory DSA-1002. The text # itself is copyright (C) Software in the Public Interest, Inc. # include("compat.inc"); if (description) { script_id(22544); script_version("1.18"); script_cvs_date("Date: 2019/08/02 13:32:19"); script_cve_id("CVE-2005-3949", "CVE-2005-3961", "CVE-2005-3982"); script_bugtraq_id(15606, 15608, 15662, 15673); script_xref(name:"DSA", value:"1002"); script_name(english:"Debian DSA-1002-1 : webcalendar - several vulnerabilities"); script_summary(english:"Checks dpkg output for the updated package"); script_set_attribute( attribute:"synopsis", value:"The remote Debian host is missing a security-related update." ); script_set_attribute( attribute:"description", value: "Several security related problems have been discovered in webcalendar, a PHP based multi-user calendar. The Common Vulnerabilities and Exposures project identifies the following vulnerabilities : - CVE-2005-3949 Multiple SQL injection vulnerabilities allow remote attackers to execute arbitrary SQL commands. - CVE-2005-3961 Missing input sanitising allows an attacker to overwrite local files. - CVE-2005-3982 A CRLF injection vulnerability allows remote attackers to modify HTTP headers and conduct HTTP response splitting attacks." ); script_set_attribute( attribute:"see_also", value:"http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=341208" ); script_set_attribute( attribute:"see_also", value:"http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=342090" ); script_set_attribute( attribute:"see_also", value:"https://security-tracker.debian.org/tracker/CVE-2005-3949" ); script_set_attribute( attribute:"see_also", value:"https://security-tracker.debian.org/tracker/CVE-2005-3961" ); script_set_attribute( attribute:"see_also", value:"https://security-tracker.debian.org/tracker/CVE-2005-3982" ); script_set_attribute( attribute:"see_also", value:"http://www.debian.org/security/2006/dsa-1002" ); script_set_attribute( attribute:"solution", value: "Upgrade the webcalendar package. The old stable distribution (woody) does not contain webcalendar packages. For the stable distribution (sarge) these problems have been fixed in version 0.9.45-4sarge3." ); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P"); script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:webcalendar"); script_set_attribute(attribute:"cpe", value:"cpe:/o:debian:debian_linux:3.1"); script_set_attribute(attribute:"patch_publication_date", value:"2006/03/15"); script_set_attribute(attribute:"plugin_publication_date", value:"2006/10/14"); script_set_attribute(attribute:"vuln_publication_date", value:"2005/11/28"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2006-2019 Tenable Network Security, Inc."); script_family(english:"Debian Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/Debian/release", "Host/Debian/dpkg-l"); exit(0); } include("audit.inc"); include("debian_package.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); if (!get_kb_item("Host/Debian/release")) audit(AUDIT_OS_NOT, "Debian"); if (!get_kb_item("Host/Debian/dpkg-l")) audit(AUDIT_PACKAGE_LIST_MISSING); flag = 0; if (deb_check(release:"3.1", prefix:"webcalendar", reference:"0.9.45-4sarge3")) flag++; if (flag) { if (report_verbosity > 0) security_hole(port:0, extra:deb_report_get()); else security_hole(0); exit(0); } else audit(AUDIT_HOST_NOT, "affected");
References
- http://secunia.com/advisories/17784
- http://secunia.com/advisories/19240
- http://securityreason.com/securityalert/215
- http://sourceforge.net/forum/forum.php?thread_id=1392833&forum_id=11587
- http://www.debian.org/security/2006/dsa-1002
- http://www.osvdb.org/21220
- http://www.securityfocus.com/archive/1/417900/100/0/threaded
- http://www.securityfocus.com/bid/15608
- http://www.ush.it/2005/11/28/webcalendar-multiple-vulnerabilities
- http://www.vupen.com/english/advisories/2005/2643
- https://exchange.xforce.ibmcloud.com/vulnerabilities/23370