oss-sec mailing list archives

Re: CVE-request: Webcalendar 1.2.4 location XSS

From: Henri Salo <henri () nerv fi>
Date: Sun, 12 Feb 2012 11:52:25 +0200

On Sun, Feb 12, 2012 at 10:17:46AM +0200, Henri Salo wrote:

On Sat, Feb 11, 2012 at 11:04:19PM -0500, Eitan Adler wrote:

On Sat, Feb 11, 2012 at 11:41 AM, Henri Salo <henri () nerv fi> wrote:

This seems to be missing 2012 CVE.

Original report: http://seclists.org/bugtraq/2012/Jan/128
Project page: https://sourceforge.net/projects/webcalendar/
Version affected: 1.2.4 (the newest)


So far as I could see the newest version is 1.2.3
(http://sourceforge.net/projects/webcalendar/?source=directory and
http://www.k5n.us/webcalendar.php?topic=News don't list 1.2.4)


Page http://sourceforge.net/projects/webcalendar/files/webcalendar%201.2/ lists 1.2.4 version. I have no idea why the 
other page doesn't list it at all. No reply to bug-report: 
http://sourceforge.net/tracker/?func=detail&aid=3472745&group_id=3870&atid=103870 and only thing I found strange in 
the report is "Version: 1.2.5" as there isn't such available. I can verify this advisory if you want.

- Henri Salo


So if you have javascript enabled in *.sourceforge.net this PoC works in demo-page: 
http://webcalendar.sourceforge.net/demo/view_entry.php?id=2142&date=20120212 and I also tested this in version 1.2.4 
(modified 2011-08-09) and it works as stored XSS. Changelog for 1.2.4 says:

Version 1.2.4 (08 Aug 2011)
 - Fixed XSS vulnerability: malicious javascript in event descriptions submitted
   by public can do bad things (create admin account, delete events, etc.)
   when the pending event is viewed by the admin.
 - Fixed bug: PHP warnings on search
 - Removed PHP warnings
 - Bug fix: undefined function date_default_timezone_set in older versions
   of PHP.

I can't find release 1.2.5 from SF project-page nor in http://www.k5n.us/downloads.php or in news. If the code indeed 
has stored XSS in versions 1.2.3 and 1.2.4 there probably is more of them. SHA256 for WebCalendar-1.2.4.tar.gz is: 
09dea6511bf692f08e08a1a6088e547517a11ba746dde6b5e2cd57bb0081cfee

At the moment download counts:
1.2.4 zip 8644
1.2.4 tar.gz 1838

Definitely needs a 2012 CVE-identifier.

- Henri Salo

Current thread:

CVE-request: Webcalendar 1.2.4 location XSS Henri Salo (Feb 11)
- Re: CVE-request: Webcalendar 1.2.4 location XSS Eitan Adler (Feb 11)
  - Re: CVE-request: Webcalendar 1.2.4 location XSS Henri Salo (Feb 12)
    - Re: CVE-request: Webcalendar 1.2.4 location XSS Henri Salo (Feb 12)
    - Re: CVE-request: Webcalendar 1.2.4 location XSS Kurt Seifried (Feb 13)