[30907] in bugtraq
Re: WebCalendar Include File
daemon@ATHENA.MIT.EDU (Emmanuel Lacour)
Fri Jul 25 16:58:35 2003
Date: Thu, 24 Jul 2003 23:51:38 +0200
From: Emmanuel Lacour <elacour@easter-eggs.com>
To: bugtraq@securityfocus.com
Message-ID: <20030724215138.GA8656@easter-eggs.com>
Mime-Version: 1.0
Content-Type: text/plain; charset=iso-8859-1
Content-Disposition: inline
Content-Transfer-Encoding: 8bit
In-Reply-To: <20030721012015.GA59895@ak.texas-shooters.com>
On Sun, Jul 20, 2003 at 08:20:15PM -0500, noconflic wrote:
>
>
> Webcalendar 0.9.41 and below.
> http://webcalendar.sourceforge.net/
>
> Since this appears to be public info now.
>
> Problem:
> http://sourceforge.net/forum/forum.php?thread_id=901234&forum_id=11588
>
> Exploit:
> http://www.some.host/webcalendar/[filename].php?user_inc=../../../../../etc/passwd
>
>
The bug seems to be in includes/function.php
in the "temporary hack" to make webcalendar working with
register_globals set to "off".
A quick fix could be to add:
unset($HTTP_GET_VARS["user_inc"]);
at the beginning of "includes/function.php".
My 2 cents ;-)
--
Emmanuel Lacour ------------------------------------ Easter-eggs
44-46 rue de l'Ouest - 75014 Paris - France - Métro Gaité
Phone: +33 (0) 1 43 35 00 37 - Fax: +33 (0) 1 41 35 00 76
mailto:elacour@easter-eggs.com - http://www.easter-eggs.com
