Web application abuses : PHP-Calendar Multiple Remote And Local File Inclusion Vulnerabilities

Vulnerability Search		Search 324607 CVE descriptions and 145615 test descriptions, access 10,000+ cross references.
	Tests CVE All

Test ID: 1.3.6.1.4.1.25623.1.0.901090

Category: Web application abuses

Title: PHP-Calendar Multiple Remote And Local File Inclusion Vulnerabilities

Summary: PHP-Calendar is prone to Remote And Local File Inclusion vulnerability.

Description: Summary:
PHP-Calendar is prone to Remote And Local File Inclusion vulnerability.

Vulnerability Insight:
The flaw is due to error in 'configfile' parameter in 'update08.php' and
'update10.php' which is not properly verified before being used to include files.

Vulnerability Impact:
Successful exploitation will allow attacker to include and execute arbitrary
files from local and external resources, and can gain sensitive information
about remote system directories when register_globals is enabled.

Affected Software/OS:
PHP-Calendar version 1.1 and prior on all platforms.

Solution:
Upgrade to PHP-Calendar version 1.4 or later.

CVSS Score:
7.5

CVSS Vector:
AV:N/AC:L/Au:N/C:P/I:P/A:P

Cross-Ref: Common Vulnerability Exposure (CVE) ID: CVE-2009-3702
Bugtraq: 20091218 [ISecAuditors Security Advisories] PHP-Calendar <= v1.1 'configfile' Remote and Local File Inclusion vulnerability (Google Search)
http://www.securityfocus.com/archive/1/508548/100/0/threaded

Copyright Copyright (C) 2009 Greenbone AG

This is only one of 145615 vulnerability tests in our test suite. Find out more about running a complete security audit.
To run a free test of this vulnerability against your system, register below.

Test ID:	1.3.6.1.4.1.25623.1.0.901090
Category:	Web application abuses
Title:	PHP-Calendar Multiple Remote And Local File Inclusion Vulnerabilities
Summary:	PHP-Calendar is prone to Remote And Local File Inclusion vulnerability.
Description:	Summary: PHP-Calendar is prone to Remote And Local File Inclusion vulnerability. Vulnerability Insight: The flaw is due to error in 'configfile' parameter in 'update08.php' and 'update10.php' which is not properly verified before being used to include files. Vulnerability Impact: Successful exploitation will allow attacker to include and execute arbitrary files from local and external resources, and can gain sensitive information about remote system directories when register_globals is enabled. Affected Software/OS: PHP-Calendar version 1.1 and prior on all platforms. Solution: Upgrade to PHP-Calendar version 1.4 or later. CVSS Score: 7.5 CVSS Vector: AV:N/AC:L/Au:N/C:P/I:P/A:P
Cross-Ref:	Common Vulnerability Exposure (CVE) ID: CVE-2009-3702 Bugtraq: 20091218 [ISecAuditors Security Advisories] PHP-Calendar <= v1.1 'configfile' Remote and Local File Inclusion vulnerability (Google Search) http://www.securityfocus.com/archive/1/508548/100/0/threaded
Copyright	Copyright (C) 2009 Greenbone AG