Vulnerability CVE-2006-1291


Published: 2006-03-19   Modified: 2012-02-12

Description:
publish.ical.php in Jim Hu and Chad Little PHP iCalendar 2.21 and earlier does not require authentication for write access to the calendars directory, which allows remote attackers to upload and execute arbitrary PHP scripts via a WebDAV PUT request with a filename containing a .php extension and a trailing null character.

CVSS2 => (AV:N/AC:L/Au:N/C:P/I:P/A:P)

CVSS Base Score
Impact Subscore
Exploitability Subscore
7.5/10
6.4/10
10/10
Exploit range
Attack complexity
Authentication
Remote
Low
No required
Confidentiality impact
Integrity impact
Availability impact
Partial
Partial
Partial
Affected software
Php icalendar -> Php icalendar 

 References:
http://www.vupen.com/english/advisories/2006/1019
http://www.securityfocus.com/bid/17129
http://www.milw0rm.com/exploits/1586
http://downloads.securityfocus.com/vulnerabilities/exploits/php-iCalendar-221.upload.php
http://secunia.com/advisories/19285

Copyright 2024, cxsecurity.com

 

Back to Top