author..........: Egidio Romano aka EgiX
mail............: n0b0d13s[at]gmail[dot]com
software link...: https://sourceforge.net/projects/webcalendar/
+-------------------------------------------------------------------------+
| This proof of concept code was written for educational purpose only. |
| Use it at your own risk. Author will be not responsible for any damage. |
+-------------------------------------------------------------------------+
[-] vulnerable code in /install/index.php (CVE-2012-1495)
Restricted access to this script isn't properly realized, so an attacker might be able
to update /includes/settings.php with arbitrary values or inject PHP code into it.
[-] vulnerable code to LFI in /pref.php (CVE-2012-1496)
Input passed through $_POST['pref_THEME'] isn't properly sanitized before being assigned
to $my_theme variable, this can be exploited to include arbitrary local files at line 77.
Exploitation of this vulnerability requires authentication and magic_quotes_gpc = off.
[-] Disclosure timeline:
[02/10/2011] - Vulnerabilities discovered
[04/10/2011] - Vendor notified to http://sourceforge.net/support/tracker.php?aid=3418570
[20/02/2012] - First vendor response
[28/02/2012] - Vendor fix committed to CVS
[29/02/2012] - Version 1.2.5 released
[02/03/2012] - CVE numbers requested
[02/03/2012] - Assigned CVE-2012-1495 and CVE-2012-1496
[23/04/2012] - Public disclosure
function http_send($host, $packet)
{
if (!($sock = fsockopen($host, 80))) die( "\n[-] No response from {$host}:80\n");
fwrite($sock, $packet);
return stream_get_contents($sock);
}