PHP iCalendar <= 2.24 Unrestricted File Upload Vulnerability


admin/index.php in PHP iCalendar 2.3.4, 2.24, and earlier does not require administrative authentication for an addupdate action, which allows remote attackers to upload a calendar (aka .ics) file with arbitrary content to the calendars/ directory outside the web root.


Disclosure Date:

September 21, 2008