Mike Spice's My Calendar does not adequately validate user input, allowing directory traversal. As a result, an attacker can cause My Calendar to overwrite any file on the server to which the web server process has write privileges.
Mike Spice's My Calendar is a CGI script written in Perl and made publicly available for creating dynamic web calendars. Multiple CGI variables may be passed to Perl's open() function without adequate validation to filter '../' sequences and null bytes. As a result, an attacker can cause My Calendar to traverse directories and overwrite any file on the server to which the web server process has write privileges.
Remote attackers can overwrite files on the server.
Upgrade to version 1.5 or later of My Calendar:
Thanks to Mike Spice for reporting this vulnerability.
This document was written by Shawn Van Ittersum.
|Date First Published:||2002-09-18|
|Date Last Updated:||2002-09-18 14:09 UTC|