WebCalendar Pre-Auth PHP Code Execution

Added: 05/18/2012
CVE: CVE-2012-1495
BID: 53207
OSVDB: 80097

Background

WebCalendar is a PHP-based calendar application that can be configured as a single-user calendar, a multi-user calendar for groups of users, or as an event calendar viewable by visitors.

Problem

WebCalendar fails to properly sanitize user-supplied input passed via the install/index.php script. This can be exploited to execute arbitrary PHP code.

Resolution

Upgrade WebCalendar to version 1.2.5 or higher.

References

http://www.k5n.us/webcalendar.php

Limitations

This exploit has been tested against WebCalendar 1.2.4 on Ubuntu 10.04 Linux.

Platforms

Windows
Linux
Mac OS X

Back to exploit index