PHP iCalendar Local File Inclusion

High Nessus Network Monitor Plugin ID 3479

Synopsis

The remote host is vulnerable to multiple attack vectors.

Description

The remote host is running PHP iCalendar, an open-source PHP blog. This version of iCalendar is vulnerable to a flaw wherein a local user can gain access to confidential data by requesting the data from the iCalendar application. Successful exploitation would lead to a local user gaining access to confidential data. In addition, the remote host is vulnerable to a remote file upload flaw. An attacker exploiting this flaw would be able to manipulate the application into uploading and executing potentially malicious scripts.

Solution

No solution is known at this time.

See Also

http://www.phpicalendar.net

Plugin Details

Severity: High

ID: 3479

Family: CGI

Published: 2006/03/17

Modified: 2016/01/21

Dependencies: 1442

Nessus ID: 17125, 17129

Risk Information

Risk Factor: High

CVSSv2

Base Score: 7.5

Temporal Score: 6.8

Vector: CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P

Temporal Vector: CVSS2#E:F/RL:W/RC:ND

CVSSv3

Base Score: 7.3

Temporal Score: 6.9

Vector: CVSS3#AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

Temporal Vector: CVSS3#E:F/RL:W/RC:X

Vulnerability Information

CPE: cpe:/a:php_icalendar:php_icalendar

Reference Information

CVE: CVE-2006-1291, CVE-2005-0244, CVE-2005-0246, CVE-2005-0227, CVE-2005-0245, CVE-2005-0247, CVE-2006-1292

BID: 12411, 12417, 17125, 17129