Информационная безопасность
[RU] switch to English


Дополнительная информация

  Ежедневная сводка ошибок в Web-приложениях (PHP, ASP, JSP, CGI, Perl)

  [SA21883] emuCMS "query" and "page" Cross-Site Scripting Vulnerabilities

  phpQuiz v0.01 design and coding byJule Slootbeek (pagename) Remote File Inclusion

  Mambo com_serverstat Component <=0.4.4 Remote File Include Vulnerability

  Magic News Pro => 1.0.3 (script_path)
Remote File Inclusion Exploit

From:OS2A BTO <os2a.bto_(at)_gmail.com>
Date:14 сентября 2006 г.
Subject:PHP Event Calendar Multiple Parameter Cross Site Scripting Vulnerability

PHP Event Calendar Multiple Parameter Cross Site Scripting Vulnerability


OS2A ID: OS2A_1007                      Status:
                                       08/20/2006      Issue Discovered
                                       09/06/2006      Reported to the Vendor
                                       09/09/2006      Fixed by Vendor
                                       09/13/2006      Advisory Released
                                       

Class: Cross Site Scripting             Severity: Low


Overview:
---------
PHP Event Calendar is a reusable PHP script that extends a web site's
functionality with an event scheduler and/or news archive.
http://www.softcomplex.com/products/php_event_calendar/

Description:
------------
A cross-site scripting vulnerability exists in PHP Event Calendar, due to input
validation error in parameters tilte(ti), body(bi) and backgroung Image(cbgi)
in cl_files/index.php page when adding a new event.

Successful exploitation requires authentication.

Impact:
-------
An authenticated remote attacker could inject malicious HTML and script code in
other user's browser session within the security context of the affected site.

Affected Software(s):
---------------------
PHP Event Calendar 1.5.1 (prior versions may also be vulnerable)

Proof of Concept:
-----------------
http://www.yoursite.com/directory_where_you_installed_php_event_calendar/cl_files
/index.php

Vulnerable fields: title field       - ti
                  body field        - bi
                  Backgroung Image  - cbgi

Insert "<script>alert('XSS Vulnerable');</script>" in above field and click
"Add event".

CVSS Score Report:
-----------------
   ACCESS_VECTOR          = REMOTE
   ACCESS_COMPLEXITY      = LOW
   AUTHENTICATION         = REQUIRED
   CONFIDENTIALITY_IMPACT = NONE
   INTEGRITY_IMPACT       = PARTIAL
   AVAILABILITY_IMPACT    = NONE
   IMPACT_BIAS            = INTEGRITY
   EXPLOITABILITY         = PROOF_OF_CONCEPT
   REMEDIATION_LEVEL      = OFFICIAL_FIX
   REPORT_CONFIDENCE      = CONFIRMED
   CVSS Base Score        = 2.1 (AV:R/AC:L/Au:R/C:N/I:P/A:N/B:I)
   CVSS Temporal Score    = 1.6
   Risk factor            = Low


Vendor Response:
---------------
"Attached is the version that blocks the use of the <script> in the
text of the event. We can't block use of HTML completely because many
users want to be able to use HTML for the event descriptions. The
events are managed in the password protected control panel so there
was no security threat even before the change was applied."


Solution:
---------

Update to the fixed version,
http://www.softcomplex.com/products/php_event_calendar/

Credits:
--------
NR Nandini of OS2A has been credited with the discovery of this vulnerability.

О сайте | Условия использования
© SecurityVulns, 3APA3A, Владимир Дубровин
Нижний Новгород