Vulnerabilities > CVE-2005-3982 - Unspecified vulnerability in Webcalendar 1.0.1
Attack vector
NETWORK Attack complexity
LOW Privileges required
NONE Confidentiality impact
NONE Integrity impact
PARTIAL Availability impact
NONE Summary
CRLF injection vulnerability in layers_toggle.php in WebCalendar 1.0.1 might allow remote attackers to modify HTTP headers and conduct HTTP response splitting attacks via the ret parameter, which is used to redirect URL requests.
Vulnerable Configurations
Part | Description | Count |
---|---|---|
Application | 1 |
Exploit-Db
description | WebCalendar 1.0.1 Layers_Toggle.PHP HTTP Response Splitting Vulnerability. CVE-2005-3982 . Webapps exploit for php platform |
id | EDB-ID:26691 |
last seen | 2016-02-03 |
modified | 2005-12-01 |
published | 2005-12-01 |
reporter | lwang |
source | https://www.exploit-db.com/download/26691/ |
title | WebCalendar 1.0.1 Layers_Toggle.PHP HTTP Response Splitting Vulnerability |
Nessus
NASL family CGI abuses NASL id WEBCALENDAR_102.NASL description The remote version of WebCalendar does not validate input to the last seen 2020-06-01 modified 2020-06-02 plugin id 20250 published 2005-12-02 reporter This script is Copyright (C) 2005-2018 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/20250 title WebCalendar < 1.0.2 Multiple Vulnerabilities code # # (C) Tenable Network Security, Inc. # include("compat.inc"); if (description) { script_id(20250); script_version("1.21"); script_cve_id("CVE-2005-3949", "CVE-2005-3961", "CVE-2005-3982", "CVE-2005-3982"); script_bugtraq_id(15606, 15608, 15662, 15673); script_name(english:"WebCalendar < 1.0.2 Multiple Vulnerabilities"); script_summary(english:"Checks for multiple vulnerabilities in WebCalendar < 1.0.2"); script_set_attribute(attribute:"synopsis", value: "The remote web server has a PHP application that is affected by multiple vulnerabilities." ); script_set_attribute(attribute:"description", value: "The remote version of WebCalendar does not validate input to the 'id' and 'format' parameters of the 'export_handler.php' script before using it to overwrite files on the remote host, subject to the privileges of the web server user id. In addition, the 'activity_log.php', 'admin_handler.php', 'edit_report_handler.php', 'edit_template.php' and 'export_handler.php' scripts are prone to SQL injection attacks and the 'layers_toggle.php' script is prone to HTTP response splitting attacks." ); script_set_attribute(attribute:"see_also", value:"http://www.ush.it/2005/11/28/webcalendar-multiple-vulnerabilities/" ); script_set_attribute(attribute:"see_also", value:"https://www.securityfocus.com/archive/1/418286/30/0/threaded" ); script_set_attribute(attribute:"see_also", value:"https://sourceforge.net/tracker/index.php?func=detail&aid=1369439&group_id=3870&atid=303870" ); script_set_attribute(attribute:"solution", value: "Upgrade to WebCalendar 1.0.2 or later." ); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P"); script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"No exploit is required"); script_set_attribute(attribute:"exploit_available", value:"false"); script_set_attribute(attribute:"plugin_publication_date", value: "2005/12/02"); script_set_attribute(attribute:"vuln_publication_date", value: "2005/11/28"); script_cvs_date("Date: 2018/11/15 20:50:19"); script_set_attribute(attribute:"plugin_type", value:"remote"); script_end_attributes(); script_category(ACT_ATTACK); script_family(english:"CGI abuses"); script_copyright(english:"This script is Copyright (C) 2005-2018 Tenable Network Security, Inc."); script_dependencies("webcalendar_detect.nasl"); script_exclude_keys("Settings/disable_cgi_scanning"); script_require_ports("Services/www", 80); script_require_keys("www/PHP"); exit(0); } include("global_settings.inc"); include("misc_func.inc"); include("http.inc"); port = get_http_port(default:80); if (!can_host_php(port:port)) exit(0); # Test an install. # # nb: this requires the application be configured to allow public access. install = get_kb_item(string("www/", port, "/webcalendar")); if (isnull(install)) exit(0); matches = eregmatch(string:install, pattern:"^(.+) under (/.*)$"); if (!isnull(matches)) { dir = matches[2]; # Make sure one of the affected scripts exists. w = http_send_recv3(method:"GET",item:string(dir, "/export_handler.php"), port:port); if (isnull(w)) exit(0); res = w[2]; # If it does... # # nb: this appears in the case of an export error. if ('<span style="font-weight:bold;"' >< res) { # Pass a non-integer value for year; in a patched / fixed version # we'll get an error; otherwise, we'll get a calendar export. postdata = string( "format=ical&", "fromyear=nessus" ); w = http_send_recv3(method:"POST", port: port, item: dir+"/export_handler.php?plugin="+SCRIPT_NAME, content_type: "application/x-www-form-urlencoded", data: postdata); if (isnull(w)) exit(0); res = strcat(w[0], w[1], '\r\n', w[2]); # There's a problem if we're able to export the calendar. if ("Content-Type: text/calendar" >< res) { security_hole(port); set_kb_item(name: 'www/'+port+'/SQLInjection', value: TRUE); } } }
NASL family Debian Local Security Checks NASL id DEBIAN_DSA-1002.NASL description Several security related problems have been discovered in webcalendar, a PHP based multi-user calendar. The Common Vulnerabilities and Exposures project identifies the following vulnerabilities : - CVE-2005-3949 Multiple SQL injection vulnerabilities allow remote attackers to execute arbitrary SQL commands. - CVE-2005-3961 Missing input sanitising allows an attacker to overwrite local files. - CVE-2005-3982 A CRLF injection vulnerability allows remote attackers to modify HTTP headers and conduct HTTP response splitting attacks. last seen 2020-06-01 modified 2020-06-02 plugin id 22544 published 2006-10-14 reporter This script is Copyright (C) 2006-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/22544 title Debian DSA-1002-1 : webcalendar - several vulnerabilities code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Debian Security Advisory DSA-1002. The text # itself is copyright (C) Software in the Public Interest, Inc. # include("compat.inc"); if (description) { script_id(22544); script_version("1.18"); script_cvs_date("Date: 2019/08/02 13:32:19"); script_cve_id("CVE-2005-3949", "CVE-2005-3961", "CVE-2005-3982"); script_bugtraq_id(15606, 15608, 15662, 15673); script_xref(name:"DSA", value:"1002"); script_name(english:"Debian DSA-1002-1 : webcalendar - several vulnerabilities"); script_summary(english:"Checks dpkg output for the updated package"); script_set_attribute( attribute:"synopsis", value:"The remote Debian host is missing a security-related update." ); script_set_attribute( attribute:"description", value: "Several security related problems have been discovered in webcalendar, a PHP based multi-user calendar. The Common Vulnerabilities and Exposures project identifies the following vulnerabilities : - CVE-2005-3949 Multiple SQL injection vulnerabilities allow remote attackers to execute arbitrary SQL commands. - CVE-2005-3961 Missing input sanitising allows an attacker to overwrite local files. - CVE-2005-3982 A CRLF injection vulnerability allows remote attackers to modify HTTP headers and conduct HTTP response splitting attacks." ); script_set_attribute( attribute:"see_also", value:"http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=341208" ); script_set_attribute( attribute:"see_also", value:"http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=342090" ); script_set_attribute( attribute:"see_also", value:"https://security-tracker.debian.org/tracker/CVE-2005-3949" ); script_set_attribute( attribute:"see_also", value:"https://security-tracker.debian.org/tracker/CVE-2005-3961" ); script_set_attribute( attribute:"see_also", value:"https://security-tracker.debian.org/tracker/CVE-2005-3982" ); script_set_attribute( attribute:"see_also", value:"http://www.debian.org/security/2006/dsa-1002" ); script_set_attribute( attribute:"solution", value: "Upgrade the webcalendar package. The old stable distribution (woody) does not contain webcalendar packages. For the stable distribution (sarge) these problems have been fixed in version 0.9.45-4sarge3." ); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P"); script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:webcalendar"); script_set_attribute(attribute:"cpe", value:"cpe:/o:debian:debian_linux:3.1"); script_set_attribute(attribute:"patch_publication_date", value:"2006/03/15"); script_set_attribute(attribute:"plugin_publication_date", value:"2006/10/14"); script_set_attribute(attribute:"vuln_publication_date", value:"2005/11/28"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2006-2019 Tenable Network Security, Inc."); script_family(english:"Debian Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/Debian/release", "Host/Debian/dpkg-l"); exit(0); } include("audit.inc"); include("debian_package.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); if (!get_kb_item("Host/Debian/release")) audit(AUDIT_OS_NOT, "Debian"); if (!get_kb_item("Host/Debian/dpkg-l")) audit(AUDIT_PACKAGE_LIST_MISSING); flag = 0; if (deb_check(release:"3.1", prefix:"webcalendar", reference:"0.9.45-4sarge3")) flag++; if (flag) { if (report_verbosity > 0) security_hole(port:0, extra:deb_report_get()); else security_hole(0); exit(0); } else audit(AUDIT_HOST_NOT, "affected");
References
- http://secunia.com/advisories/17848
- http://secunia.com/advisories/19240
- http://vd.lwang.org/webcalendar_multiple_vulns.txt
- http://www.debian.org/security/2006/dsa-1002
- http://www.osvdb.org/21383
- http://www.securityfocus.com/archive/1/418286/100/0/threaded
- http://www.securityfocus.com/bid/15673
- http://www.vupen.com/english/advisories/2005/2702