suid@suid.kg - Matt Kruse Calendar Script Vulnerability

Software:       Matt Kruse Calendar Script
URL:            https://www.mattkruse.com/scripts/calendar/
Version:        Version 2.2 and below?
Platforms:      UNIX / Windows NT
Type:           Input Validation Failure
Lame Factor:    Damn High

Summary:

        Remote users can execute arbitrary commands on the web
        server with the priviledge level of the httpd process.

Vulnerability:

        Both the calender.pl and the calendar_admin.pl scripts fail to 
        perform proper input validation. The calender_admin.pl script
        for example prompts the user for a configuration file to modify.
        Then in an attempt to authenticate the user to verify they have
        access to modify the specified configuration file, it passes 
        the user input straight to perl open(). *yoink*(tm)

Exploit:

        calender_admin.pl - easiest

        Assuming https://www.ownable.domain/ has calender.pl at:

                https://www.ownable.domain/cgi-bin/calender.pl

        The admin script by default is at:

                https://www.ownable.domain/cgi-bin/calender_admin.pl

        Going to that URL will result in a username/password/configuration file
        input fields. Ignoring username and password, enter:

                |<command here>|

        (With the pipes) in the configuration file field.

        e.g. 

                |ping 127.0.0.1|

Note:

        I notice that calender.pl does not sanitise input either and is vulnerable
        to an open attack but am not interested enough to write about it.

        Blah.

Greets:

        duke - WHAT THE HELL!?>!
        horizons

https://www.suid.edu/advisories/011.txt

EOF