Facebook Google Plus Twitter LinkedIn YouTube RSS Menu Search Resource - BlogResource - WebinarResource - ReportResource - Eventicons_066 icons_067icons_068icons_069icons_070

WebCalendar < 1.0.1 send_reminders.php includedir Parameter Remote File Inclusion

High

Synopsis

The remote host is vulnerable to a script injection attack.

Description

The remote version of WebCalendar fails to sanitize user-supplied input to the 'includedir' parameter of the 'send_reminders.php' script. By leveraging this flaw, an attacker may be able to view arbitrary files on the remote host and execute arbitrary PHP code, possibly taken from third-party hosts.

Solution

Upgrade to version 1.0.1 or higher.