Overview
WebCalendar does not properly validate user input, allowing attackers to execute arbitrary commands.
Description
WebCalendar is a free PHP application providing web calendar services for user groups. WebCalendar contains an unspecified input validation vulnerability, allowing arbitrary command execution by a malicious WebCalendar user. If WebCalendar is configured in "single-user mode" (a non-default configuration), attackers do not need a WebCalendar account to exploit this vulnerability. |
Impact
Malicious users can execute arbitrary commands on the server. |
Solution
The CERT/CC is currently unaware of a practical solution to this problem. |
An unofficial patch is available from Secure Reality: http://www.securereality.com.au/patches/WebCalendar-SecureReality.diff |
Vendor Information
CVSS Metrics
| Group | Score | Vector |
|---|---|---|
| Base | ||
| Temporal | ||
| Environmental |
References
Acknowledgements
Thanks to Asher Glynn for reporting this vulnerability.
This document was written by Shawn Van Ittersum.
Other Information
| CVE IDs: | CVE-2001-0477 |
| Severity Metric: | 4.28 |
| Date Public: | 2001-04-23 |
| Date First Published: | 2002-09-26 |
| Date Last Updated: | 2002-09-26 21:58 UTC |
| Document Revision: | 5 |