PHP iCalendar Local File Inclusion

high Nessus Network Monitor Plugin ID 3479

Synopsis

The remote host is vulnerable to multiple attack vectors.

Description

The remote host is running PHP iCalendar, an open-source PHP blog. This version of iCalendar is vulnerable to a flaw wherein a local user can gain access to confidential data by requesting the data from the iCalendar application. Successful exploitation would lead to a local user gaining access to confidential data. In addition, the remote host is vulnerable to a remote file upload flaw. An attacker exploiting this flaw would be able to manipulate the application into uploading and executing potentially malicious scripts.

Solution

No solution is known at this time.

See Also

http://www.phpicalendar.net

Plugin Details

Severity: High

ID: 3479

Family: CGI

Published: 3/17/2006

Updated: 3/6/2019

Nessus ID: 17125, 17129

Risk Information

VPR

Risk Factor: Medium

Score: 6.7

CVSS v2

Risk Factor: High

Base Score: 7.5

Temporal Score: 6.8

Vector: CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P

CVSS v3

Risk Factor: High

Base Score: 7.3

Temporal Score: 6.9

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

Temporal Vector: CVSS:3.0/E:F/RL:W/RC:X

Vulnerability Information

CPE: cpe:/a:php_icalendar:php_icalendar

Reference Information

CVE: CVE-2005-0227, CVE-2005-0244, CVE-2005-0245, CVE-2005-0246, CVE-2005-0247, CVE-2006-1291, CVE-2006-1292

BID: 12411, 12417, 17125, 17129