WebCalendar "pref_THEME" File Inclusion Vulnerability


Description   Egidio Romano has discovered a vulnerability in WebCalendar, which can be exploited by malicious users to disclose sensitive information.
Input passed via the "pref_THEME" parameter to pref.php is not properly verified before being used to include files. This can be exploited to include arbitrary files from local resources via directory traversal attacks and URL-encoded NULL bytes.
Successful exploitation requires that "magic_quotes_gpc" is disabled.
The vulnerability is confirmed in version 1.2.4. Prior versions may also be affected.
     
Vulnerable Products   Vulnerable Software:
WebCalendar 1.x
     
Solution   Update to version 1.2.5.
     
CVE   CVE-2012-1496
     
References   WebCalendar:
http://webcalendar.cvs.sourceforge.net/viewvc/webcalendar/webcalendar/ChangeLog?pathrev=REL_1_2
Egidio Romano:
http://archives.neohapsis.com/archives/bugtraq/2012-04/0182.html
     
Vulnerability Manager Detection   No
     
IPS Protection  
ASQ Engine alarm Available Since
Misc : Directory traversal - parameter starting with ../
3.2.0
PHP : Remote file inclusion prevention : suspicious root_path parameter found in URL
3.2.0
Directory traversal using ..\..
3.2.0
Directory traversal
3.2.0
PHP : Remote file inclusion prevention : URL found as parameter
3.2.0
Directory traversal backward root folder
3.2.0
Escaped NULL char in URL
3.2.0
Misc : Local File Inclusion - suspicious /etc/passwd found in URL
3.5.0
     


 
 
 
 
 Risk level 
Low 

 Vulnerability First Public Report Date 
2012-04-24 

 Target Type 
Server 

 Possible exploit 
Remote