Overview
Mike Spice's My Calendar does not adequately validate user input, allowing directory traversal. As a result, an attacker can cause My Calendar to overwrite any file on the server to which the web server process has write privileges.
Description
Mike Spice's My Calendar is a CGI script written in Perl and made publicly available for creating dynamic web calendars. Multiple CGI variables may be passed to Perl's open() function without adequate validation to filter '../' sequences and null bytes. As a result, an attacker can cause My Calendar to traverse directories and overwrite any file on the server to which the web server process has write privileges. |
Impact
Remote attackers can overwrite files on the server. |
Solution
Upgrade Upgrade to version 1.5 or later of My Calendar: |
Vendor Information
CVSS Metrics
| Group | Score | Vector |
|---|---|---|
| Base | ||
| Temporal | ||
| Environmental |
References
Acknowledgements
Thanks to Mike Spice for reporting this vulnerability.
This document was written by Shawn Van Ittersum.
Other Information
| CVE IDs: | None |
| Severity Metric: | 3.42 |
| Date Public: | 2002-01-10 |
| Date First Published: | 2002-09-18 |
| Date Last Updated: | 2002-09-18 14:09 UTC |
| Document Revision: | 5 |