PHP iCalendar <= 2.24 Unrestricted File Upload Vulnerability

Description:

admin/index.php in PHP iCalendar 2.3.4, 2.24, and earlier does not require administrative authentication for an addupdate action, which allows remote attackers to upload a calendar (aka .ics) file with arbitrary content to the calendars/ directory outside the web root.

References:

• CVE-2008-5967
• EDB-6519

Disclosure Date:

September 21, 2008