PHP Event Calendar Multiple Parameter Cross Site Scripting Vulnerability
OS2A ID: OS2A_1007 Status:
08/20/2006 Issue Discovered
09/06/2006 Reported to the Vendor
09/09/2006 Fixed by Vendor
09/13/2006 Advisory Released
Class: Cross Site Scripting Severity: Low
Overview:
---------
PHP Event Calendar is a reusable PHP script that extends a web site's
functionality with an event scheduler and/or news archive.
http://www.softcomplex.com/products/php_event_calendar/
Description:
------------
A cross-site scripting vulnerability exists in PHP Event Calendar, due to input
validation error in parameters tilte(ti), body(bi) and backgroung Image(cbgi)
in cl_files/index.php page when adding a new event.
Successful exploitation requires authentication.
Impact:
-------
An authenticated remote attacker could inject malicious HTML and script code in
other user's browser session within the security context of the affected site.
Affected Software(s):
---------------------
PHP Event Calendar 1.5.1 (prior versions may also be vulnerable)
Proof of Concept:
-----------------
http://www.yoursite.com/directory_where_you_installed_php_event_calendar/cl_files/index.php
Vulnerable fields: title field - ti
body field - bi
Backgroung Image - cbgi
Insert "" in above field and click
"Add event".
CVSS Score Report:
-----------------
ACCESS_VECTOR = REMOTE
ACCESS_COMPLEXITY = LOW
AUTHENTICATION = REQUIRED
CONFIDENTIALITY_IMPACT = NONE
INTEGRITY_IMPACT = PARTIAL
AVAILABILITY_IMPACT = NONE
IMPACT_BIAS = INTEGRITY
EXPLOITABILITY = PROOF_OF_CONCEPT
REMEDIATION_LEVEL = OFFICIAL_FIX
REPORT_CONFIDENCE = CONFIRMED
CVSS Base Score = 2.1 (AV:R/AC:L/Au:R/C:N/I:P/A:N/B:I)
CVSS Temporal Score = 1.6
Risk factor = Low
Vendor Response:
---------------
"Attached is the version that blocks the use of the