Info

Disclosure

Jan 12, 2006

Discovery

Unknown

Dates

Exploit

Jan 12, 2006

Solution

Unknown

Description

ACal contains a flaw that may allow a remote attacker to execute arbitrary commands. The issue is due to a user with administrative rights on the application being able to edit the source code of the 'header.php' and 'footer.php' files. This may allow an attacker to add arbitrary PHP code to either file which will be executed when the page is visited/loaded normally.

Classification

Location: Remote/Network Access Required
Attack Type: Input Manipulation
Impact: Loss of Integrity
Exploit: Exploit Available
OSVDB: Web Related

Solution

Currently, there are no known upgrades, patches, or workarounds available to correct this issue.

Products

ACal Calendar Project

ACal

2.2.5

References

Secunia Advisory ID: 18432
CVE ID: 2006-0183 (see also: NVD)
Related OSVDB ID: 22344
FrSIRT Advisory: ADV-2006-0152
Keyword: EV0025
Vendor URL: http://acalproj.sourceforge.net/
Mail List Post: http://archives.neohapsis.com/archives/bugtraq/2006-01/0203.html
Other Advisory URL: http://www.evuln.com/vulns/25/summary.html

Credit

Aliaksandr Hartsuyeu - alexevuln.com - eVuln

Direct URL: http://osvdb.org/36218