WebCalendar does not properly validate user input, allowing attackers to execute arbitrary commands.
WebCalendar is a free PHP application providing web calendar services for user groups. WebCalendar contains an unspecified input validation vulnerability, allowing arbitrary command execution by a malicious WebCalendar user. If WebCalendar is configured in "single-user mode" (a non-default configuration), attackers do not need a WebCalendar account to exploit this vulnerability.
Malicious users can execute arbitrary commands on the server.
The CERT/CC is currently unaware of a practical solution to this problem.
An unofficial patch is available from Secure Reality:
Thanks to Asher Glynn for reporting this vulnerability.
This document was written by Shawn Van Ittersum.
|Date First Published:||2002-09-26|
|Date Last Updated:||2002-09-26 21:58 UTC|