Info

Disclosure

May 04, 2006

Discovery

Unknown

Dates

Exploit

May 04, 2006

Solution

Unknown

Description

WebCalendar contains a flaw that may lead to an unauthorized information disclosure. The issue is triggered when invalid credentials are provided to the application. The application responds with different messages to valid and invalid user name/password combinations, allowing an attacker to enumerate valid user names and resulting in a loss of confidentiality.

Classification

Location: Remote / Network Access
Attack Type: Information Disclosure
Impact: Loss of Confidentiality
Exploit: Exploit Public
Disclosure: OSVDB Verified
OSVDB: Web Related

Solution

Upgrade to upcoming version 1.1, as the vendor has announced that it will fix this vulnerability. An upgrade will required as there are no known workarounds.

Products

Craig Knudsen	WebCalendar	1.0.1
		1.0.2
		1.0.3

References

Bugtraq ID: 17853
Secunia Advisory ID: 19974 20108
CVE ID: 2006-2247 (see also: NVD)
Mail List Post: http://archives.neohapsis.com/archives/fulldisclosure/2006-05/0074.html
http://archives.neohapsis.com/archives/fulldisclosure/2006-05/0088.html
Vendor URL: http://www.k5n.us/webcalendar.php
Other Advisory URL: http://www.us.debian.org/security/2006/dsa-1056

Credit

David Maciejak - david.maciejakgmail.com -

Direct URL: http://osvdb.org/25280

Info

Disclosure

Discovery

Dates

Exploit

Solution

Description

Classification

Solution

Products

Craig Knudsen

WebCalendar

References

Credit