Version 1.0.5 of WebCalendar has been release. All 1.0.X and earlier
users are strongly encouraged to upgrade to version 1.0.5. Users of
WebCalendar 1.1.X can upgrade to the most recent code in CVS (where this
issue has been fixed). A new 1.1.X release should be made available
shortly.
You can obtain version 1.0.5 from SourceForge.net:
http://sourceforge.net/project/showfiles.php?group_id=3870&package_id=3844&release_id=491130
<http://sourceforge.net/project/showfiles.php?group_id=3870&package_id=3844&release_id=491130>
This release fixes a potential security issue with WebCalendar 1.0.4 and
earlier. (This bug has not hit the Bugtraq list yet, but I have been
told that it will soon.) Below is an overview of the exploit:
EXPLOIT INFO:
Suggested name: Empty noSet includedir crack
Description: Recent versions of Webcalendar (including 1.0.3, 1.0.4,
1.1.2) uses a global array $noSet to list variables that can not be
set by the HTTP query string. The problem is that the variable noSet
itself isn't protected this way and hence can be set in the query
string - effectively wiping out noSet making the old includedir
exploit working WITHOUT register_globals on.
If you have any questions about this exploit of the upgrade process,
please post them to the Help/Troubleshooting forum on SourceForge.net:
http://sourceforge.net/forum/forum.php?forum_id=11588
Thanks,
Craig
|