next »

[detroitdr]

I've been looking at this program, and although it's a VERY good program, if you use more then 1 calendar, you really have no security.

For example, you do not have to sign in to read all the data. Using your site as an example you have a RESTRICTED calendar called LIMITED. Click below to read all your data (which clears out... but the file is readable) without the need to login. I've gone around to some other locations that have left their calendars in your support forum and they two (if multiple calendars) have this "hole".
http://www.calendarscript.com/demo/calendarscript/calendars/limited/events.txt

I hope you can figure a way to plug it up for people who want to manage multiple calendars.

Now knowing this... if someone uses more then 1 calendar, then the directory name will be known (without login) and all you need to do is remove the calendar.pl with

calendarscript/calendars/***calendar name***/events.txt

If only one calendar is used then it would be much harder to get the directory name unless they left it as default....

Hope this helps increase the security someday...

DetroitDr

[detroitdr]

Just checking a little bit more and it's actually easy to find out the directory names of the calendar even if it's the only one... so now that opens up even single calendar security.

Example again from your site,
http://www.calendarscript.com/demo/calendarscript/calendars.txt

Now is this perhaps an issue with MS IIS versus another platform?

DetroitDr

[DanO]

** I hope you can figure a way to plug it up for people who want to manage multiple calendars. **

It's not brain science, just set up your server properly and you won't have any problems. Just deny 'read' permissions to the calendarscript data directories.

JMO

Dan O.

------------------