Multiple Cross Site Scripting Vulnerabilities were identified in SoftComplex Inc. 's PHP Event Calendar, a reusable PHP script that extends a web site's functionality with an event scheduler or news archive. http://www.softcomplex.com/products/php_event_calendar/ Attached is the advisory which details the vulnerability. Thanks, OS2A
PHP Event Calendar Multiple Parameter Cross Site Scripting Vulnerability OS2A ID: OS2A_1007 Status: 08/20/2006 Issue Discovered 09/06/2006 Reported to the Vendor 09/09/2006 Fixed by Vendor 09/13/2006 Advisory Released Class: Cross Site Scripting Severity: Low Overview: --------- PHP Event Calendar is a reusable PHP script that extends a web site's functionality with an event scheduler and/or news archive. http://www.softcomplex.com/products/php_event_calendar/ Description: ------------ A cross-site scripting vulnerability exists in PHP Event Calendar, due to input validation error in parameters tilte(ti), body(bi) and backgroung Image(cbgi) in cl_files/index.php page when adding a new event. Successful exploitation requires authentication. Impact: ------- An authenticated remote attacker could inject malicious HTML and script code in other user's browser session within the security context of the affected site. Affected Software(s): --------------------- PHP Event Calendar 1.5.1 (prior versions may also be vulnerable) Proof of Concept: ----------------- http://www.yoursite.com/directory_where_you_installed_php_event_calendar/cl_files/index.php Vulnerable fields: title field - ti body field - bi Backgroung Image - cbgi Insert "<script>alert('XSS Vulnerable');</script>" in above field and click "Add event". CVSS Score Report: ----------------- ACCESS_VECTOR = REMOTE ACCESS_COMPLEXITY = LOW AUTHENTICATION = REQUIRED CONFIDENTIALITY_IMPACT = NONE INTEGRITY_IMPACT = PARTIAL AVAILABILITY_IMPACT = NONE IMPACT_BIAS = INTEGRITY EXPLOITABILITY = PROOF_OF_CONCEPT REMEDIATION_LEVEL = OFFICIAL_FIX REPORT_CONFIDENCE = CONFIRMED CVSS Base Score = 2.1 (AV:R/AC:L/Au:R/C:N/I:P/A:N/B:I) CVSS Temporal Score = 1.6 Risk factor = Low Vendor Response: --------------- "Attached is the version that blocks the use of the <script> in the text of the event. We can't block use of HTML completely because many users want to be able to use HTML for the event descriptions. The events are managed in the password protected control panel so there was no security threat even before the change was applied." Solution: --------- Update to the fixed version, http://www.softcomplex.com/products/php_event_calendar/ Credits: -------- NR Nandini of OS2A has been credited with the discovery of this vulnerability.
