[<prev] [next>] [day] [month] [year] [list]
Message-ID: <498C5E56.5060109@madirish.net>
Date: Fri, 06 Feb 2009 10:59:18 -0500
From: "Justin C. Klein Keane" <justin@...irish.net>
To: full-disclosure@...ts.grok.org.uk
Subject: PHP-Calendar SQL Credential Disclosure
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Security Risk: Moderate
Exploitable: Remotely
Vulnerability: Information disclosure
Version: Multiple Versions
PHP-Calendar (http://www.php-calendar.com) was "written for a college
social group at Northeastern University to keep track of events, etc. We
were previously using localendar, which I (Sean Proctor) didn't like and
had some problems with. I found CST-Calendar which did most of what I
wanted, but was rather ugly and missed some features that we needed. So,
I gradually re-wrote CST-Calendar since that project seemed to have
stopped work entirely."
This vulnerability centers around the fact that PHP-Calendar comes with
update scripts to update previous versions of the software. These
scripts will print to the screen the database host, username, password,
database name, table prefix, and database type. This file is named in
two separate conventions depending on the installed version of
PHP-Calendar. In versions prior to 1.1 this file is named "update.php"
in version 1.1 two files exist named "update08.php" and "update10.php".
Calling these files via a web browser (e.x.
http://targetsite.com/phpcalendar/update.php) will print a succinct
message including the above described information.
Determinging version of PHP-Calendar is often trivial as a NEWS file is
included in every distribution that will reveal version information.
Browsing to http://targetsite.tld/phpcalendar/NEWS will display the
versioning information if that file is present. Note that several
versions of PHP-Calendar are affected by other vulnerabilities (SQL
injection - http://www.securityfocus.com/bid/13405/, remote file
inclusion - http://www.securityfocus.com/bid/12127/).
Remediation
Removal of the update scripts and all other unnecessary files (AUTHORS,
COPYING, FAQ, INSTALL, NEWS, README, UPDATE) should remedy this
vulnerability. Unfortunately instructions about the removal of these
files is not included in the installation guide or the automated install
scripts.
- --
Justin C. Klein Keane
http://www.MadIrish.net
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iQD1AwUBSYxeVZEpbGy7DdYAAQLjfgb/dUsoJhEHQt4vO5f0TdRHwvBCgn4a9lQv
OKM/Eg3jLbAVHHLitBJnN8TabGr2DUc+aJYSk62BCY2r8HrLZGsNd9fLkKWNZYKR
BH7CV0LBtRyicP25NVeBPQ133Z7UYpH+cbbAmp+W00OdomPANsQcGtNzwFPuDbXo
lQyGKzgLsKQD1iS+FYifkW5QC0Z5O0RkphInxTR5JGODcSVah3y3l6aWxIl0q2eq
cMWR+qDY2A9fP0VzwlANhLMcgO/XI4ZmAxDKC17g/BkHTEqL/SFwuRcvoocsvcQ3
jcloc+gm+68=
=kWDx
-----END PGP SIGNATURE-----
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists