Re: [PHPiCalendar-DEV] phpicalendar multiple "admin" vulnerabilities

SourceForge Headquarters 225 Broadway Suite 1600 San Diego, CA 92101 +1 (858) 422-6466

Thanks Yuri,

The admin system should be completely removed for now, as it has not  
been worked on since I took over the project.

Jim

On Apr 29, 2008, at 8:35 AM, Yuri D'Elia wrote:

> Greetings,
>
> We've been trying to use your PHPiCalendar interface on our internal  
> network
> and found some bugs and security issues you might want to be aware of.
>
> The 'admin' page allows to delete or upload (read: overwrite)  
> arbitrary files
> even if the user is not logged in (or logged in as a normal user). We
> introduced a check to disable those actions if the user is not  
> correctly
> authenticated.
>
> Also, we introduced a check to verify that the file to be deleted is  
> a known
> calendar (which is not perfect, since the path name is disclosed,  
> but at
> least is not arbitrary).
>
> The delete functionality was broken anyway. sanitize.php was  
> stripping off all
> the filenames, so the exploitability was limited.
>
> PHPiCalendar did not work properly with http authentication, despite  
> the
> relative option in the config.inc.php file. We commented the  
> additional
> (broken) code present to check pre-authenticated information. This  
> allows
> the 'internal' scheme to work (which is enough for our purposes,  
> since admin
> is the only user that needs extra authentication).
>
> I'm attaching the diff against 2.24, in case should you need it for  
> reference.
>
> Regards
>
> -- 
> Yuri D'Elia
> Institute of Genetic Medicine
>
> EURAC research
> Viale Druso 1, I-39100 Bolzano
> t +39 0471 055 534
> f +39 0471 055 599
> m +39 348 922 5095
> yur...@eu...
> www.eurac.edu
>
> This transmission is intended only for the use of the addressee and  
> may
> contain confidential or legally privileged information.
> If you receive this transmission by error, please notify the author
> immediately by mail and delete all copies of this transmission and any
> attachments.
> Any use or dissemination of this communication is strictly  
> prohibited by
> the "Privacy-Code", D.Lgs. 196/2003 and may lead to penal  
> prosecution and
> liability for damages.
> <phpicalendar-2.24.diff>

=====================================
Jim Hu
Associate Professor
Dept. of Biochemistry and Biophysics
2128 TAMU
Texas A&M Univ.
College Station, TX 77843-2128
979-862-4054