Vulnerability Note VU#951632
WebCalendar does not adequately validate user input
WebCalendar does not properly validate user input, allowing attackers to execute arbitrary commands.
WebCalendar is a free PHP application providing web calendar services for user groups. WebCalendar contains an unspecified input validation vulnerability, allowing arbitrary command execution by a malicious WebCalendar user. If WebCalendar is configured in "single-user mode" (a non-default configuration), attackers do not need a WebCalendar account to exploit this vulnerability.
Malicious users can execute arbitrary commands on the server.
The CERT/CC is currently unaware of a practical solution to this problem.
An unofficial patch is available from Secure Reality:
Systems Affected (Learn More)
|Vendor||Status||Date Notified||Date Updated|
|Craig Knudsen||Affected||-||23 Sep 2002|
CVSS Metrics (Learn More)
Thanks to Asher Glynn for reporting this vulnerability.
This document was written by Shawn Van Ittersum.
- CVE IDs: Unknown
- Date Public: 23 Apr 2001
- Date First Published: 26 Sep 2002
- Date Last Updated: 26 Sep 2002
- Severity Metric: 4.28
- Document Revision: 5
If you have feedback, comments, or additional information about this vulnerability, please send us email.