0) greps
$ grep "unserialize" * -R
functions/ical_parser.php: $master_array = unserialize($contents);
functions/ical_parser.php: $master_array = unserialize($contents);
functions/init.inc.php: $phpicalendar = unserialize(stripslashes($_COOKIE['phpicalendar']));
functions/userauth_functions.php: $login_cookie = unserialize(stripslashes($_COOKIE['phpicalendar_login']));
includes/event.php:$organizer = unserialize($event['organizer']);
includes/event.php:$attendee = unserialize($event['attendee']);
includes/todo.php:$vtodo_array = unserialize(base64_decode($_GET['vtodo_array']));
index.php: $phpicalendar = unserialize(stripslashes($_COOKIE['phpicalendar']));
preferences.php: $phpicalendar = unserialize(stripslashes($_COOKIE['phpicalendar']));
1) local arbitrary file inclusion (init.inc.php)
if (isset($_COOKIE['phpicalendar'])) {
$phpicalendar = unserialize(stripslashes($_COOKIE['phpicalendar']));
if (isset($phpicalendar['cookie_language'])) $language = $phpicalendar['cookie_language'];
if (isset($phpicalendar['cookie_calendar'])) $default_cal_check = $phpicalendar['cookie_calendar'];
if (isset($phpicalendar['cookie_view'])) $default_view = $phpicalendar['cookie_view'];
if (isset($phpicalendar['cookie_style'])) $style_sheet = $phpicalendar['cookie_style'];
if (isset($phpicalendar['cookie_startday'])) $week_start_day = $phpicalendar['cookie_startday'];
if (isset($phpicalendar['cookie_time'])) $day_start = $phpicalendar['cookie_time'];
}
[..]
// language support
$language = strtolower($language);
$lang_file = BASE.'/languages/'.$language.'.inc.php';
if (file_exists(realpath($lang_file))) {
unset($lang);
include($lang_file);
} else {
exit(error('The requested language "'.$language.'" is not a supported language. Please use the configuration file to choose a supported language.'));
}
2) arbitrary tmp dir and calendar path (init.inc.php)
if($_REQUEST['cpath']){
$cpath = $_REQUEST['cpath'];
$calendar_path .= "/$cpath";
$tmp_dir .= "/$cpath";
}
3) $master_array injection using #2 bug and serialized data (ical_parser.php)
$parsedcal = $tmp_dir.'/parsedcal-'.$cal_filename.'-'.$this_year;
if (file_exists($parsedcal)) {
$fd = fopen($parsedcal, 'r');
$contents = fread($fd, filesize($parsedcal));
fclose($fd);
$master_array = unserialize($contents);
[..]
4) BASE override using already discovered index.php CSS (init.inc.php)
if (!defined('BASE')) define('BASE', './');
This has a really big impact and give you 5 (five) CSS only in the
ical_parser.php file and other
include_once(BASE.'functions/init.inc.php');
include_once(BASE.'functions/date_functions.php');
include_once(BASE.'functions/draw_functions.php');
include_once(BASE.'functions/overlapping_events.php');
include_once(BASE.'functions/timezones.php');
and other 4 in the init.inc.php file
include_once(BASE.'config.inc.php');
include_once(BASE.'error.php');
include_once(BASE.'functions/calendar_functions.php');
include_once(BASE.'functions/userauth_functions.php');
5) directory traversal attack to cal datafile (day.php)
http://www.sikurezza.org/calendario/day.php?cal=../../../home/www.maliCious.it/htdocs/bad&getdate=20051024
6) todo.php multiple XSS
http://phpicalendar.net/phpicalendar/includes/todo.php?vtodo_array=YTo4OntzOjM6ImNhbCI7czo5OiJIb21lIDEyMzQiO3M6MTQ6ImNvbXBsZXRlZF9kYXRlIjtOO3M6MTE6ImRlc2NyaXB0aW9uIjtzOjA6IiI7czo4OiJkdWVfZGF0ZSI7TjtzOjg6InByaW9yaXR5IjtOO3M6MTA6InN0YXJ0X2RhdGUiO3M6ODoiMjAwMjEwMTUiO3M6Njoic3RhdHVzIjtOO3M6MTA6InZ0b2RvX3RleHQiO3M6MTk6IlRoaXMgaXMgYSB0b2RvIGl0ZW0iO30=
$vtodo_array = unserialize(base64_decode($_GET['vtodo_array']));
$vtodo_text = (isset($vtodo_array['vtodo_text'])) ? $vtodo_array['vtodo_text'] : ('');
$description = (isset($vtodo_array['description'])) ? $vtodo_array['description'] : ('');
$completed_date = (isset($vtodo_array['completed_date'])) ? localizeDate ($dateFormat_day, strtotime($vtodo_array['completed_date'])) : ('');
$status = (isset($vtodo_array['status'])) ? $vtodo_array['status'] : ('');
$calendar_name = (isset($vtodo_array['cal'])) ? $vtodo_array['cal'] : ('');
$start_date = (isset($vtodo_array['start_date'])) ? localizeDate ($dateFormat_day, strtotime($vtodo_array['start_date'])) : ('');
$due_date = (isset($vtodo_array['due_date'])) ? localizeDate ($dateFormat_day, strtotime($vtodo_array['due_date'])) : ('');
$priority = (isset($vtodo_array['priority'])) ? $vtodo_array['priority'] : ('');
$cal_title_full = $calendar_name.' '.$lang['l_calendar'];
$description = ereg_replace("[[:alpha:]]+://[^<>[:space:]]+[[:alnum:]/]", '\0', $description);
$vtodo_text = ereg_replace("[[:alpha:]]+://[^<>[:space:]]+[[:alnum:]/]",'\0',$vtodo_text);
7) default user:passwd for locked calendars (possible problem, should be commented out)
> config.inc.php
$locked_map['user1:pass'] = array(''); // Map username:password accounts to locked calendars that should be
$locked_map['user2:pass'] = array(''); // unlocked if logged in. Calendar names should be the same as what is
$locked_map['user3:pass'] = array(''); // listed in the $locked_cals, again without the .ics suffix.
$locked_map['user4:pass'] = array(''); // Example: $locked_map['username:password'] = array('Locked1', 'Locked2');
> userauth_functions.php
$login_cookie = unserialize(stripslashes($_COOKIE['phpicalendar_login']));
if (isset($login_cookie['username']) && isset($login_cookie['password'])) {
$username = $login_cookie['username'];
$password = $login_cookie['password'];
}
8) XSS in event.php using serialized data in $master_array using bug #3
$event = $master_array[$_POST['date']][$_POST['time']][decode_popup($_POST['uid'])];
$organizer = unserialize($event['organizer']);
$attendee = unserialize($event['attendee']);
9) low risk, unused parse($file) function in the template class
function parse($file) {
ob_start();
include($file);
$buffer = ob_get_contents();
ob_end_clean();
return $buffer;
}