On Sun, Jul 20, 2003 at 08:20:15PM -0500, noconflic wrote:
>
>
> Webcalendar 0.9.41 and below.
> http://webcalendar.sourceforge.net/
>
> Since this appears to be public info now.
>
> Problem:
> http://sourceforge.net/forum/forum.php?thread_id=901234&forum_id=11588
>
> Exploit:
> http://www.some.host/webcalendar/[filename].php?user_inc=../../../../../
etc/passwd
>
>
The bug seems to be in includes/function.php
in the "temporary hack" to make webcalendar working with
register_globals set to "off".
A quick fix could be to add:
unset($HTTP_GET_VARS["user_inc"]);
at the beginning of "includes/function.php".
My 2 cents ;-)
--
Emmanuel Lacour ------------------------------------ Easter-eggs
44-46 rue de l'Ouest - 75014 Paris - France - Métro Gaité
Phone: +33 (0) 1 43 35 00 37 - Fax: +33 (0) 1 41 35 00 76
mailto:elacour (at) easter-eggs (dot) com [email concealed] - http://www.easter-eggs.com
>
>
> Webcalendar 0.9.41 and below.
> http://webcalendar.sourceforge.net/
>
> Since this appears to be public info now.
>
> Problem:
> http://sourceforge.net/forum/forum.php?thread_id=901234&forum_id=11588
>
> Exploit:
> http://www.some.host/webcalendar/[filename].php?user_inc=../../../../../
etc/passwd
>
>
The bug seems to be in includes/function.php
in the "temporary hack" to make webcalendar working with
register_globals set to "off".
A quick fix could be to add:
unset($HTTP_GET_VARS["user_inc"]);
at the beginning of "includes/function.php".
My 2 cents ;-)
--
Emmanuel Lacour ------------------------------------ Easter-eggs
44-46 rue de l'Ouest - 75014 Paris - France - Métro Gaité
Phone: +33 (0) 1 43 35 00 37 - Fax: +33 (0) 1 41 35 00 76
mailto:elacour (at) easter-eggs (dot) com [email concealed] - http://www.easter-eggs.com
[ reply ]