Steffen Joeris
2009-Jan-29 19:08 UTC
[Secure-testing-team] Bug#513517: phpicalendar: Several vulnarbilities
Package: phpicalendar
Severity: grave
Tags: security
Justification: user security hole
Hi,
the following CVE (Common Vulnerabilities & Exposures) ids were
published for phpicalendar.
CVE-2008-5840[0]:
| PHP iCalendar 2.24 and earlier allows remote attackers to bypass
| authentication by setting the phpicalendar and phpicalendar_login
| cookies to 1.
CVE-2008-5967[1]:
| admin/index.php in PHP iCalendar 2.3.4, 2.24, and earlier does not
| require administrative authentication for an addupdate action, which
| allows remote attackers to upload a calendar (aka .ics) file with
| arbitrary content to the calendars/ directory outside the web root.
CVE-2008-5968[2]:
| Directory traversal vulnerability in print.php in PHP iCalendar 2.24
| and earlier allows remote attackers to include and execute arbitrary
| local files via a .. (dot dot) in the cookie_language parameter in a
| phpicalendar_* cookie, a different vector than CVE-2006-1292.
These issues read like common issues in php apps and I am wondering,
whether phpicalendar is ready for a stable debian release. I think it
should receive an audit first.
If you fix the vulnerabilities please also make sure to include the
CVE ids in your changelog entry.
Cheers
Steffen
For further information see:
[0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5840
http://security-tracker.debian.net/tracker/CVE-2008-5840
[1] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5967
http://security-tracker.debian.net/tracker/CVE-2008-5967
[2] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5968
http://security-tracker.debian.net/tracker/CVE-2008-5968