PHP-Calendar Multiple Remote And Local File Inclusion Vulnerabilities Network Vulnerability

Summary

This host is running PHP Calendar and is prone to Remote And Local File Inclusion vulnerability.

Impact

Successful exploitation will allow attacker to include and execute arbitrary files from local and external resources, and can gain sensitive information about remote system directories when register_globals is enabled. Impact level: Application

Solution

Upgrade to PHP-Calendar version 1.4 or later, For updates refer to http://www.cascade.org.uk/software/php/calendar/

Insight

The flaw is due to error in 'configfile' parameter in 'update08.php' and 'update10.php' which is not properly verified before being used to include files.

Affected

PHP-Calendar version 1.1 and prior on all platforms.

References

http://www.securityfocus.com/archive/1/archive/1/508548/100/0/threaded

Updated on 2015-03-25

Severity

Classification

CVE CVE-2009-3702

CVSS	Base Score: 7.5 AV:N/AC:L/Au:N/C:P/I:P/A:P

Related Vulnerabilities

AlefMentor Multiple SQL Injection Vulnerabilities
Agora CGI Cross Site Scripting
Adiscon LogAnalyzer Multiple SQL Injection and XSS Vulnerabilities
AlienVault OSSIM SQL Injection and Remote Code Execution Vulnerabilities
ASP Inline Corporate Calendar SQL injection

Take action and discover your vulnerabilities