[<prev] [next>] [day] [month] [year] [list]
Message-ID: <21ae1b060512021752w5e35013fg1488522c717bf590@mail.gmail.com>
Date: Sat, 3 Dec 2005 09:52:46 +0800
From: Louis Wang <bill.louis@...il.com>
To: Daniel Bertrand <danb@...urityfocus.com>,
bugtraq@...urityfocus.com
Subject: Re: WebCalendar
Hi, Dan:
For some vulnerability has fixed by the vendor, I have update this
vulnerability advisory, sorry for any trouble I have caused to you.
The following is the updated advisory.:
===================================================
WebCalendar CRLF Injection Vulnerability
I. BACKGROUND
WebCalendar is a PHP application used to maintain a calendar for one
or more persons and for a variety of purposes.
II. DESCRIPTION
CRLF injection vulnerability in WebCalendar layers_toggle.php allows
remote attackers to inject false HTTP headers into an HTTP request,
via a URL containing encoded carriage return, line feed, and other
whitespace characters.
III. PUBLISH DATE
Publish Date: 2005-12-1
Update Date: 2005-12-2
IV. AUTHOR
lwang (lwang at lwang dot org)
V. AFFECTED SOFTWARE
WebCalendar version 1.0.1 and 1.1.0 are affected. Older versions are
not verified.
VI. ANALYSIS
in layers_toggle.php, parameter $ret does not validation.
if ( empty ( $error ) ) {
// Go back to where we where if we can figure it out.
if ( strlen ( $ret ) )
do_redirect ( $ret );
else if ( ! empty ( $HTTP_REFERER ) )
do_redirect ( $HTTP_REFERER );
else
send_to_preferred_view ();
Proof of Concept:
http://victim/webcalendar/layers_toggle.php?status=on&ret=[url_redirect_to]
VII. SOLUTION
Input validation will fix the bug.
VIII. ADVISORY
http://vd.lwang.org/webcalendar_crlf_injection.txt
VIII. REFERENCE
http://www.k5n.us/webcalendar.php
On 12/2/05, Daniel Bertrand <danb@...urityfocus.com> wrote:
>
> Hi,
>
> What is the vendor web site for this application? I need this information
> to write up this BID.
>
> Regards,
>
> Dan B.
>
>
>
>
--
Regards,
Bill Louis
Powered by blists - more mailing lists