FreeBSD VuXML: Documenting security issues in FreeBSD and the FreeBSD Ports Collection

WebCalendar -- "noSet" variable overwrite vulnerability

Affected packages
WebCalendar < 1.0.5

Details

VuXML ID 72999d57-d6f6-11db-961b-005056847b26
Discovery 2007-03-04
Entry 2007-04-08

Secunia reports:

A vulnerability has been discovered in WebCalendar, which can be exploited by malicious people to compromise a vulnerable system.

Input passed to unspecified parameters is not properly verified before being used with the "noSet" parameter set. This can be exploited to overwrite certain variables, and allows e.g. the inclusion of arbitrary PHP files from internal or external resources.

References

Bugtraq ID 22834
CVE Name CVE-2007-1343
URL http://sourceforge.net/project/shownotes.php?release_id=491130
URL http://xforce.iss.net/xforce/xfdb/32832