[prev in list] [next in list] [prev in thread] [next in thread] 

List:       oss-security
Subject:    Re: [oss-security] CVE-request: Webcalendar 1.2.4 location XSS
From:       Kurt Seifried <kseifried () redhat ! com>
Date:       2012-02-13 16:09:38
Message-ID: 4F3935C2.1050603 () redhat ! com
[Download RAW message or body]

On 02/12/2012 02:52 AM, Henri Salo wrote:
> On Sun, Feb 12, 2012 at 10:17:46AM +0200, Henri Salo wrote:
> > On Sat, Feb 11, 2012 at 11:04:19PM -0500, Eitan Adler wrote:
> > > On Sat, Feb 11, 2012 at 11:41 AM, Henri Salo <henri@nerv.fi> wrote:
> > > > This seems to be missing 2012 CVE.
> > > > 
> > > > Original report: http://seclists.org/bugtraq/2012/Jan/128
> > > > Project page: https://sourceforge.net/projects/webcalendar/
> > > > Version affected: 1.2.4 (the newest)
> > > 
> > > So far as I could see the newest version is 1.2.3
> > > (http://sourceforge.net/projects/webcalendar/?source=directory and
> > > http://www.k5n.us/webcalendar.php?topic=News don't list 1.2.4)
> > 
> > Page http://sourceforge.net/projects/webcalendar/files/webcalendar%201.2/ lists 1.2.4 \
> > version. I have no idea why the other page doesn't list it at all. No reply to bug-report: \
> > http://sourceforge.net/tracker/?func=detail&aid=3472745&group_id=3870&atid=103870 and only \
> > thing I found strange in the report is "Version: 1.2.5" as there isn't such available. I \
> > can verify this advisory if you want. 
> > - Henri Salo
> 
> So if you have javascript enabled in *.sourceforge.net this PoC works in demo-page: \
> http://webcalendar.sourceforge.net/demo/view_entry.php?id=2142&date=20120212 and I also \
> tested this in version 1.2.4 (modified 2011-08-09) and it works as stored XSS. Changelog for \
> 1.2.4 says: 
> Version 1.2.4 (08 Aug 2011)
> - Fixed XSS vulnerability: malicious javascript in event descriptions submitted
> by public can do bad things (create admin account, delete events, etc.)
> when the pending event is viewed by the admin.
> - Fixed bug: PHP warnings on search
> - Removed PHP warnings
> - Bug fix: undefined function date_default_timezone_set in older versions
> of PHP.
> 
> I can't find release 1.2.5 from SF project-page nor in http://www.k5n.us/downloads.php or in \
> news. If the code indeed has stored XSS in versions 1.2.3 and 1.2.4 there probably is more of \
> them. SHA256 for WebCalendar-1.2.4.tar.gz is: \
> 09dea6511bf692f08e08a1a6088e547517a11ba746dde6b5e2cd57bb0081cfee 
> At the moment download counts:
> 1.2.4 zip 8644
> 1.2.4 tar.gz 1838
> 
> Definitely needs a 2012 CVE-identifier.
> 
> - Henri Salo

Please use CVE-2012-0846 for this Webcalendar location variable XSS issue.

-- 
Kurt Seifried Red Hat Security Response Team (SRT)


[prev in list] [next in list] [prev in thread] [next in thread]