0) greps

$ grep "unserialize" * -R

functions/ical_parser.php: $master_array = unserialize($contents);
functions/ical_parser.php: $master_array = unserialize($contents);
functions/init.inc.php: $phpicalendar = unserialize(stripslashes($_COOKIE['phpicalendar']));
functions/userauth_functions.php: $login_cookie = unserialize(stripslashes($_COOKIE['phpicalendar_login']));
includes/event.php:$organizer = unserialize($event['organizer']);
includes/event.php:$attendee = unserialize($event['attendee']);
includes/todo.php:$vtodo_array = unserialize(base64_decode($_GET['vtodo_array']));
index.php: $phpicalendar = unserialize(stripslashes($_COOKIE['phpicalendar']));
preferences.php: $phpicalendar = unserialize(stripslashes($_COOKIE['phpicalendar']));

1) local arbitrary file inclusion (init.inc.php)

if (isset($_COOKIE['phpicalendar'])) {
 $phpicalendar = unserialize(stripslashes($_COOKIE['phpicalendar']));
 if (isset($phpicalendar['cookie_language'])) $language = $phpicalendar['cookie_language'];
 if (isset($phpicalendar['cookie_calendar'])) $default_cal_check = $phpicalendar['cookie_calendar'];
 if (isset($phpicalendar['cookie_view'])) $default_view = $phpicalendar['cookie_view'];
 if (isset($phpicalendar['cookie_style'])) $style_sheet = $phpicalendar['cookie_style'];
 if (isset($phpicalendar['cookie_startday'])) $week_start_day = $phpicalendar['cookie_startday'];
 if (isset($phpicalendar['cookie_time'])) $day_start = $phpicalendar['cookie_time'];
}

[..]

// language support
$language = strtolower($language);
$lang_file = BASE.'/languages/'.$language.'.inc.php';

if (file_exists(realpath($lang_file))) {
 unset($lang);
 include($lang_file);
} else {
 exit(error('The requested language "'.$language.'" is not a supported language. Please use the configuration file to choose a supported language.'));
}

2) arbitrary tmp dir and calendar path (init.inc.php)

if($_REQUEST['cpath']){
 $cpath = $_REQUEST['cpath'];				
 $calendar_path .= "/$cpath";				
 $tmp_dir .= "/$cpath";				
}

3) $master_array injection using #2 bug and serialized data (ical_parser.php)

$parsedcal = $tmp_dir.'/parsedcal-'.$cal_filename.'-'.$this_year;
if (file_exists($parsedcal)) {
 $fd = fopen($parsedcal, 'r');
 $contents = fread($fd, filesize($parsedcal));
 fclose($fd);
 $master_array = unserialize($contents);
			
[..]

4) BASE override using already discovered index.php CSS (init.inc.php)

if (!defined('BASE')) define('BASE', './');

This has a really big impact and give you 5 (five) CSS only in the
ical_parser.php file and other 

include_once(BASE.'functions/init.inc.php');
include_once(BASE.'functions/date_functions.php');
include_once(BASE.'functions/draw_functions.php');
include_once(BASE.'functions/overlapping_events.php');
include_once(BASE.'functions/timezones.php');

and other 4 in the init.inc.php file

include_once(BASE.'config.inc.php');
include_once(BASE.'error.php');
include_once(BASE.'functions/calendar_functions.php');
include_once(BASE.'functions/userauth_functions.php');

5) directory traversal attack to cal datafile (day.php)

http://www.sikurezza.org/calendario/day.php?cal=../../../home/www.maliCious.it/htdocs/bad&getdate=20051024

6) todo.php multiple XSS

http://phpicalendar.net/phpicalendar/includes/todo.php?vtodo_array=YTo4OntzOjM6ImNhbCI7czo5OiJIb21lIDEyMzQiO3M6MTQ6ImNvbXBsZXRlZF9kYXRlIjtOO3M6MTE6ImRlc2NyaXB0aW9uIjtzOjA6IiI7czo4OiJkdWVfZGF0ZSI7TjtzOjg6InByaW9yaXR5IjtOO3M6MTA6InN0YXJ0X2RhdGUiO3M6ODoiMjAwMjEwMTUiO3M6Njoic3RhdHVzIjtOO3M6MTA6InZ0b2RvX3RleHQiO3M6MTk6IlRoaXMgaXMgYSB0b2RvIGl0ZW0iO30=

$vtodo_array = unserialize(base64_decode($_GET['vtodo_array']));

$vtodo_text = (isset($vtodo_array['vtodo_text'])) ? $vtodo_array['vtodo_text'] : ('');
$description = (isset($vtodo_array['description'])) ? $vtodo_array['description'] : ('');
$completed_date = (isset($vtodo_array['completed_date'])) ? localizeDate ($dateFormat_day, strtotime($vtodo_array['completed_date'])) : ('');
$status = (isset($vtodo_array['status'])) ? $vtodo_array['status'] : ('');
$calendar_name = (isset($vtodo_array['cal'])) ? $vtodo_array['cal'] : ('');
$start_date = (isset($vtodo_array['start_date'])) ? localizeDate ($dateFormat_day, strtotime($vtodo_array['start_date'])) : ('');
$due_date = (isset($vtodo_array['due_date'])) ? localizeDate ($dateFormat_day, strtotime($vtodo_array['due_date'])) : ('');
$priority = (isset($vtodo_array['priority'])) ? $vtodo_array['priority'] : ('');

$cal_title_full = $calendar_name.' '.$lang['l_calendar'];
$description = ereg_replace("[[:alpha:]]+://[^<>[:space:]]+[[:alnum:]/]", '<a target="_new" href="\0">\0</a>', $description);
$vtodo_text = ereg_replace("[[:alpha:]]+://[^<>[:space:]]+[[:alnum:]/]",'<a target="_new" href="\0">\0</a>',$vtodo_text);

7) default user:passwd for locked calendars (possible problem, should be commented out)

> config.inc.php 

$locked_map['user1:pass'] = array('');		// Map username:password accounts to locked calendars that should be
$locked_map['user2:pass'] = array('');		// unlocked if logged in. Calendar names should be the same as what is
$locked_map['user3:pass'] = array('');		// listed in the $locked_cals, again without the .ics suffix.
$locked_map['user4:pass'] = array('');		// Example: $locked_map['username:password'] = array('Locked1', 'Locked2');

> userauth_functions.php

$login_cookie = unserialize(stripslashes($_COOKIE['phpicalendar_login']));
if (isset($login_cookie['username']) && isset($login_cookie['password'])) {
 $username = $login_cookie['username'];
 $password = $login_cookie['password'];
}

8) XSS in event.php using serialized data in $master_array using bug #3

$event = $master_array[$_POST['date']][$_POST['time']][decode_popup($_POST['uid'])];
$organizer = unserialize($event['organizer']);
$attendee = unserialize($event['attendee']);

9) low risk, unused parse($file) function in the template class

function parse($file) {
 ob_start();
 include($file);
 $buffer = ob_get_contents();
 ob_end_clean();
 return $buffer;
}