Authentication Bypass and PHP Insertion in ACal

Summary

Vulnerability: Authentication Bypass and PHP Insertion in ACal
Discovered: 2006.01.11
Last Update: 2006.03.06 Solution added
ID: EV0025
CVE: CVE-2006-0182 CVE-2006-0183
Risk Level: high
Type: PHP Code Execution
Status: Patched
Vendor: n/a
Vulnerable Software: ACal (http://acalproj.sourceforge.net/)
Version: 2.2.5
PoC/Exploit: Available
Solution: Available
Discovered by: Aliaksandr Hartsuyeu (eVuln.com)

Description

PHP Code Execution found in ACal (http://acalproj.sourceforge.net/) script.

Vulnerabe script: login.php

To authorize any user forum scripts checks only one cookie variable: ACalAuthenticate

Forum dont make password comparison.

Registered users can modify header.php and footer.php files. System access is possible.

PoC/Exploit

Cookie: ACalAuthenticate=inside

Solution.

To fix this problem install or upgrade to 2.2.6 version.