File Inclusion Vulnerability in PHP iCalendar

Summary

Vulnerability: File Inclusion Vulnerability in PHP iCalendar
Discovered: 2006.02.09
Last Update: 2006.02.13 CVE entry added
ID: EV0070
CVE: CVE-2006-0648
Risk Level: high
Type: File Inclusion
Status: Patched
Vendor: n/a
Vulnerable Software: PHP iCalendar (http://phpicalendar.net/)
Version: 2.0.1 2.1 2.2
PoC/Exploit: Available
Solution: Available
Discovered by: Aliaksandr Hartsuyeu (eVuln.com)

Description

File Inclusion found in PHP iCalendar (http://phpicalendar.net/) script.

File: functions/template.php

Function parse($file) calls include($file) without correct sanitation of variable $file

File: search.php

Parameter getdate isn't properly sanitized and may contain a filepath.

All this can be used to make inclusion of arbitrary server-side file.

System access is possible.

PoC/Exploit

File inclusion example:

http://host/icalendar/search.php?getdate=[anyfile]

Solution.

Vendor-provided patch is available at:

http://dimer.tamu.edu/phpicalendar.net/forums/viewtopic.php?p=1869#1869