WebCalendar <= 1.2.4 (pref.php) Local File Inclusion Vulnerability
WebCalendar contains a flaw that may allow a remote attacker to execute arbitrary commands or code. The issue is due to the pref.php script not properly sanitizing user-supplied input to the ‘pref_THEME’ parameter. This can be exploited to include arbitrary files from local resources via directory traversal attacks and URL-encoded NULL bytes. In addition, this flaw could be used to disclose the contents of any file on the system accessible by the web server.
April 23, 2012