• Product Information
• Security Products Overview
• Juniper Networks ISG Series
• IDP Demo
• Product Poster & Z-Card 

Title: WebCalendar Remote Command Execution Vulnerability

Severity: HIGH

Description:

WebCalendar is a freely available PHP web application used to maintain a calendar for one or more people.

Because of an input validation error, it may be possible for a malicious user with a valid WebCalender account to inject carefully crafted PHP code into their personal preference fields in the WebCalendar database, manipulating the interpretation of the script.

The problem lies in the load_user_preferences() function found in "includes/functions.inc", which is used to load a user's preferences and store the values as global variables. The following section of code is mainly responsible for the vulnerability,

$res = dbi_query (
"SELECT cal_setting, cal_value FROM webcal_user_pref " .
"WHERE cal_login = '$login'" );
if ( $res ) {
while ( $row = dbi_fetch_row ( $res ) ) {
$cmd = "\$GLOBALS[" . $row[0] . "] = \"" . $row[1] . "\";";
eval ( $cmd );
}
dbi_free_result ( $res );
}

Because no input checking is done on the data retrieved from the database, a user could inject carefully crafted PHP code into their preference values and have it executed after the assignment command is constructed, in the call to eval().

Using a builtin PHP function such as popen(), an attacker may, for example, send an xterm back to his or her system providing interactive 'local' access to the host. With 'local' access, root compromise may become much easier for an attacker.

In WebCalendar configurations where "single user mode" is enabled (though not found by default), the problem becomes considerably more serious: no authentication is done, allowing any remote user to exploit this vulnerability.

Affected Products:

• WebCalendar WebCalendar 0.9.15
• WebCalendar WebCalendar 0.9.24
• k5n WebCalendar 0.9.11
• k5n WebCalendar 0.9.16
• k5n WebCalendar 0.9.19
• k5n WebCalendar 0.9.20
• k5n WebCalendar 0.9.21
• k5n WebCalendar 0.9.22
• k5n WebCalendar 0.9.23
• k5n WebCalendar 0.9.25
• k5n WebCalendar 0.9.26
• k5n WebCalendar 0.9.8

References:

• Craig Knudsen: SourceForge WebCalendar Development Homepage

Juniper Networks provides this content via a wide variety of sources and production methods. If notified of errors or omissions in the content of this page, Juniper Networks, at its discretion, will modify or remove the page or leave the content as is, depending on various factors including but not limited to the reputation and authority of the party providing the notification. Please use the contact information displayed elsewhere on this page to report any errors or omissions regarding the content on this page.