WebCalendar contains a flaw that may allow a remote attacker to execute arbitrary commands. The issue is due to includes/config.php not properly sanitizing user input supplied to the 'includedir' variable. This may allow an attacker to include a file from a remote host that contains arbitrary commands which will be executed by the vulnerable script. This can be exploited further to disclose the content of arbitrary files by including a malicious settings.php file which overwrites the "user_inc" variable and will allow arbitrary local file disclosure.

This vulnerability is only present when the register_globals PHP option is set to 'on'. This has not been the default setting for PHP installs since version 4.2.0 (22-Apr-2002).

Upgrade to version 1.0.4 or higher, as it has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.

• Security Tracker: 1016179
• Bugtraq ID: 18175
• CVE ID: 2006-2762 (see also: NVD)
• Secunia Advisory ID: 20367 20542
• VUPEN Advisory: ADV-2006-2067
• Mail List Post: http://archives.neohapsis.com/archives/bugtraq/2006-05/0676.html
  http://archives.neohapsis.com/archives/bugtraq/2006-06/0029.html
• Vendor URL: http://www.k5n.us/webcalendar.php
• Other Advisory URL: http://www.us.debian.org/security/2006/dsa-1096

• socsam - socsamlinuxmail.org -