Got chat? If not, try
Help Center Live!
, the Live Chat leader!
Home
Help
Search
Login
Register
Welcome,
Guest
. Please
login
or
register
.
Did you miss your
activation email?
1 Hour
1 Day
1 Week
1 Month
Forever
Login with username, password and session length
Search
Advanced search
8043
Posts in
1856
Topics- by
2099
Members
- Latest Member:
roi
Calendar Script Community
Setup and Installation
Problems and Solutions
security
« previous
next »
Pages: [
1
]
Go Down
Author
Topic: security (Read 959 times)
0 Members and 1 Guest are viewing this topic.
ravenquork
New Member
Karma: 0
Offline
Posts: 9
security
«
on:
August 02, 2007, 06:05:23 PM »
Just how secure is calendarscript 3. 21?
I was doing a security search and found this:
calendarscript-calendarpl-xss (20103) Medium Risk
Description:
CalendarScript is a customizable event-publishing solution running on Microsoft Windows and Unix-based operating systems. CalendarScript version 3. 20 is vulnerable to cross-site scripting caused by improper validation of user-supplied input. A remote attacker could embed malicious script in the username parameter in a URL request to the calendar. pl script which, once the link is clicked, would be executed in the victim's Web browser within the security context of the hosting site. An attacker could use this vulnerability to steal the victim's cookie-based authentication credentials.
Platforms Affected:
Data General: DG/UX Any version
Hewlett-Packard Company: HP-UX Any version
Hewlett-Packard Company: Tru64 UNIX Any version
IBM: AIX Any version
Linux: Linux Any version
Matt Kruse: CalendarScript 3. 20
Matt Kruse: CalendarScript 3. 21
Microsoft Corporation: Windows 95
Microsoft Corporation: Windows 98
Microsoft Corporation: Windows 98 Second Edition
Microsoft Corporation: Windows Me
Microsoft Corporation: Windows XP
Microsoft Corporation: Windows 2000 Any version
Microsoft Corporation: Windows 2003 Any version
Microsoft Corporation: Windows NT 4. 0
Santa Cruz Operation, Inc. : SCO Unix Any version
SGI: IRIX Any version
Sun Microsystems, Inc. : Solaris Any version
Wind River Systems, Inc. : BSD Any version
Remedy:
No remedy available as of July 2007.
Consequences:
Gain Access
References:
CalendarScript- Your event publishing solution for the Web!, CalendarScript Web site at hxxp: www. calendarscript. com/.
CVE-2005-1146: ** DISPUTED ** NOTE: this issue has been disputed by the vendor. Cross-site scripting (XSS) vulnerability in the login command in calendar. pl in CalendarScript 3. 21 allows remote attackers to inject arbitrary web script or HTML via the username parameter, a different vulnerability than CVE-2005-1145.
SECTRACK ID: 1013705: CalendarScript Discloses Installation Path and Debug Information to Remote Users and Permits Cross-Site Scripting Attacks
Reported:
Apr 14, 2005
@ hxxp: xforce. iss. net/xforce/xfdb/20103
Logged
Pages: [
1
]
Go Up
« previous
next »
Jump to:
Please select a destination:
-----------------------------
General
-----------------------------
=> FAQS
=> Advertise on CalendarScript
-----------------------------
Setup and Installation
-----------------------------
=> Installation and Setup
=> Problems and Solutions
-----------------------------
Customization
-----------------------------
=> Customizing CalendarScript
=> Hacks and Mods
=> Plugins
-----------------------------
Making CalendarScript Better
-----------------------------
=> Suggestions and Ideas
=> Showcase
-----------------------------
Licensing
-----------------------------
=> Licensing
-----------------------------
Everything Else
-----------------------------
=> General Use
