Vulnerability Note VU#951632

WebCalendar does not adequately validate user input

Original Release date: 26 Sep 2002 | Last revised: 26 Sep 2002

Overview

WebCalendar does not properly validate user input, allowing attackers to execute arbitrary commands.

Description

WebCalendar is a free PHP application providing web calendar services for user groups. WebCalendar contains an unspecified input validation vulnerability, allowing arbitrary command execution by a malicious WebCalendar user. If WebCalendar is configured in "single-user mode" (a non-default configuration), attackers do not need a WebCalendar account to exploit this vulnerability.

Impact

Malicious users can execute arbitrary commands on the server.

Solution

The CERT/CC is currently unaware of a practical solution to this problem.

An unofficial patch is available from Secure Reality:

http://www.securereality.com.au/patches/WebCalendar-SecureReality.diff

Systems Affected (Learn More)

VendorStatusDate NotifiedDate Updated
Craig KnudsenAffected-23 Sep 2002
If you are a vendor and your product is affected, let us know.

CVSS Metrics (Learn More)

Group Score Vector
Base N/A N/A
Temporal N/A N/A
Environmental N/A N/A

References

Credit

Thanks to Asher Glynn for reporting this vulnerability.

This document was written by Shawn Van Ittersum.

Other Information

  • CVE IDs: Unknown
  • Date Public: 23 Apr 2001
  • Date First Published: 26 Sep 2002
  • Date Last Updated: 26 Sep 2002
  • Severity Metric: 4.28
  • Document Revision: 5

Feedback

If you have feedback, comments, or additional information about this vulnerability, please send us email.