WebCalendar <= 1.2.4 (pref.php) Local File Inclusion Vulnerability

Description:

WebCalendar contains a flaw that may allow a remote attacker to execute arbitrary commands or code. The issue is due to the pref.php script not properly sanitizing user-supplied input to the ‘pref_THEME’ parameter. This can be exploited to include arbitrary files from local resources via directory traversal attacks and URL-encoded NULL bytes. In addition, this flaw could be used to disclose the contents of any file on the system accessible by the web server.

References:

• CVE-2012-1496
• BID-53207
• EDB-18775

Disclosure Date:

April 23, 2012