Back to list
Security, Open Source Style
May 27 2008 01:50PM
Josh Bressers (bressers redhat com)
Calcium web calendar: Reflected XSS
May 28 2008 08:30PM
Marvin Simkin (Marvin Simkin asu edu)
Vendor: Brown Bear Software
Vendor web page: http://brownbearsw.com/
Product: Calcium web calendar
Product web page: http://brownbearsw.com/calcium/WhatIsIt.html
Vendor's Product Description:
Calcium is a Web Calendar application. It will run on nearly any machine with a web server that can run Perl CGI scripts; a web browser is all you need to view, edit, and manage any number of calendars from any network connected computer. All administration is done with your browser - after installation, there's no need to log in to the web server.
Vulnerability class: Cross-Site Scripting
Calcium web calendar is vulnerable to "reflected" (type 1) cross-site scripting (XSS). For a discussion of the various types of XSS, and XSS in general, see
Proof of concept, version 4.0.4:
Attacker could impersonate victim to do any activity the victim is authorized to do through a compromised web site, for example, initiate funds transfers or access private data. Under some circumstances the existence of this vulnerability in one web site could be used to attack other web sites in the same DNS domain. For example, if host "a.example.com" shares cookies with host "b.example.com" and "b" is vulnerable, "b" can be used to attack "a".
Calcium 4.0.4 Vulnerable
Calcium 3.10 Vulnerable
1. User web client with scripting languages enabled.
2. Web server hosting unpatched software.
3. Other web servers on the same DNS domain.
1. Victim web client may disable scripting languages.
2. Vulnerable web site may temporarily shut down until patch can be applied.
3. Exposed web sites sharing the same DNS domain should not share authentication cookies with vulnerable site.
Researcher's quick patch for version 4.0.4:
Until vendor patch is received, this may help. Use at your own risk.
In file cgi-bin/CalciumDir40/Calendar/Database.pm
< die "Bad Calendar or Database name! '$dbName' \n"
> die "Bad Calendar or Database name!\n"
Vendor provided a patch by email.
Local access to victim computer required: NO.
Victim user assistance required:
YES. For example, victim can be enticed to visit a malicious web page or open a malicious email.
NO. Attack can be carried out by an unauthenticated attacker against an unauthenticated victim. However, if the victim has authenticated to a web site, the attacker may be able to steal the victim's authentication credentials and use them to access the victim's private information and/or complete any action that the victim is authorized to perform on that web site, or on other web sites in the same DNS domain that share authentication cookies.
2008-05-13 Vulnerability discovered.
2008-05-14 Vendor notified.
2008-05-14 Initial vendor response.
2008-05-22 Vendor provided patch for version 4.0.4.
2008-05-23 Vendor provided patch for version 3.10.
2008-05-28 Vendor commented on draft of this disclosure.
2008-05-28 Public disclosure.
All information is thought to be correct as of the time of disclosure, however, this information is provided without any assurance as to its accuracy or reliability.
The purpose of this disclosure is to alert users who may be at risk, and empower them to test their own systems, with the goal of improving Internet security for all. It may be illegal to use this information to test systems you do not own.
You are responsible for what you do with this information. No one else accepts liability for what you do.
Credit: Discovered by Marvin Simkin.
About the author:
Marvin Simkin was one of several security researchers to independently discover "reflected" (type 1) XSS and participate in responsible disclosure in 1999. At the time of discovery, available statistics suggested that at least 95% of all web sites on the Internet were vulnerable.
Manager of Information Technology
School of Earth and Space Exploration
Arizona State University
[ reply ]
Copyright 2010, SecurityFocus