cvelistv5 - cve-2007-1343

CVE-2007-1343 (GCVE-0-2007-1343)

Vulnerability from cvelistv5

Published

2007-03-08 00:00

Modified

2024-08-07 12:50

Severity ?

CWE

Summary

includes/functions.php in Craig Knudsen WebCalendar before 1.0.5 does not protect the noSet variable from external modification, which allows remote attackers to set arbitrary global variables via a URL with modified values in the noSet parameter, which leads to resultant vulnerabilities that probably include remote file inclusion and other issues.

References

URL

Tags

	http://www.vupen.com/english/advisories/2007/0851	vdb-entry, x_refsource_VUPEN
	http://webcalendar.cvs.sourceforge.net/webcalendar/webcalendar/includes/functions.php?view=log	x_refsource_CONFIRM
	http://sourceforge.net/project/shownotes.php?group_id=3870&release_id=491130	x_refsource_CONFIRM
	http://secunia.com/advisories/24519	third-party-advisory, x_refsource_SECUNIA
	http://www.securityfocus.com/bid/22834	vdb-entry, x_refsource_BID
	http://www.debian.org/security/2007/dsa-1267	vendor-advisory, x_refsource_DEBIAN
	http://webcalendar.cvs.sourceforge.net/webcalendar/webcalendar/includes/functions.php?r1=1.211.2.7&r2=1.211.2.8	x_refsource_CONFIRM
	https://exchange.xforce.ibmcloud.com/vulnerabilities/32832	vdb-entry, x_refsource_XF
	http://secunia.com/advisories/24403	third-party-advisory, x_refsource_SECUNIA
	http://sourceforge.net/mailarchive/forum.php?thread_id=31840112&forum_id=46247	mailing-list, x_refsource_MLIST

Impacted products

	Vendor	Product	Version
	n/a	n/a	Version: n/a

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-07T12:50:35.036Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "name": "ADV-2007-0851",
            "tags": [
              "vdb-entry",
              "x_refsource_VUPEN",
              "x_transferred"
            ],
            "url": "http://www.vupen.com/english/advisories/2007/0851"
          },
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "http://webcalendar.cvs.sourceforge.net/webcalendar/webcalendar/includes/functions.php?view=log"
          },
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "http://sourceforge.net/project/shownotes.php?group_id=3870\u0026release_id=491130"
          },
          {
            "name": "24519",
            "tags": [
              "third-party-advisory",
              "x_refsource_SECUNIA",
              "x_transferred"
            ],
            "url": "http://secunia.com/advisories/24519"
          },
          {
            "name": "22834",
            "tags": [
              "vdb-entry",
              "x_refsource_BID",
              "x_transferred"
            ],
            "url": "http://www.securityfocus.com/bid/22834"
          },
          {
            "name": "DSA-1267",
            "tags": [
              "vendor-advisory",
              "x_refsource_DEBIAN",
              "x_transferred"
            ],
            "url": "http://www.debian.org/security/2007/dsa-1267"
          },
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "http://webcalendar.cvs.sourceforge.net/webcalendar/webcalendar/includes/functions.php?r1=1.211.2.7\u0026r2=1.211.2.8"
          },
          {
            "name": "webcalendar-noset-variable-overwrite(32832)",
            "tags": [
              "vdb-entry",
              "x_refsource_XF",
              "x_transferred"
            ],
            "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/32832"
          },
          {
            "name": "24403",
            "tags": [
              "third-party-advisory",
              "x_refsource_SECUNIA",
              "x_transferred"
            ],
            "url": "http://secunia.com/advisories/24403"
          },
          {
            "name": "[webcalendar-announce] 20070304 Announce: Release 1.0.5 (security patch)",
            "tags": [
              "mailing-list",
              "x_refsource_MLIST",
              "x_transferred"
            ],
            "url": "http://sourceforge.net/mailarchive/forum.php?thread_id=31840112\u0026forum_id=46247"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "n/a",
          "vendor": "n/a",
          "versions": [
            {
              "status": "affected",
              "version": "n/a"
            }
          ]
        }
      ],
      "datePublic": "2007-03-04T00:00:00.000Z",
      "descriptions": [
        {
          "lang": "en",
          "value": "includes/functions.php in Craig Knudsen WebCalendar before 1.0.5 does not protect the noSet variable from external modification, which allows remote attackers to set arbitrary global variables via a URL with modified values in the noSet parameter, which leads to resultant vulnerabilities that probably include remote file inclusion and other issues."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "n/a",
              "lang": "en",
              "type": "text"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2017-07-28T12:57:01.000Z",
        "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
        "shortName": "mitre"
      },
      "references": [
        {
          "name": "ADV-2007-0851",
          "tags": [
            "vdb-entry",
            "x_refsource_VUPEN"
          ],
          "url": "http://www.vupen.com/english/advisories/2007/0851"
        },
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "http://webcalendar.cvs.sourceforge.net/webcalendar/webcalendar/includes/functions.php?view=log"
        },
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "http://sourceforge.net/project/shownotes.php?group_id=3870\u0026release_id=491130"
        },
        {
          "name": "24519",
          "tags": [
            "third-party-advisory",
            "x_refsource_SECUNIA"
          ],
          "url": "http://secunia.com/advisories/24519"
        },
        {
          "name": "22834",
          "tags": [
            "vdb-entry",
            "x_refsource_BID"
          ],
          "url": "http://www.securityfocus.com/bid/22834"
        },
        {
          "name": "DSA-1267",
          "tags": [
            "vendor-advisory",
            "x_refsource_DEBIAN"
          ],
          "url": "http://www.debian.org/security/2007/dsa-1267"
        },
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "http://webcalendar.cvs.sourceforge.net/webcalendar/webcalendar/includes/functions.php?r1=1.211.2.7\u0026r2=1.211.2.8"
        },
        {
          "name": "webcalendar-noset-variable-overwrite(32832)",
          "tags": [
            "vdb-entry",
            "x_refsource_XF"
          ],
          "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/32832"
        },
        {
          "name": "24403",
          "tags": [
            "third-party-advisory",
            "x_refsource_SECUNIA"
          ],
          "url": "http://secunia.com/advisories/24403"
        },
        {
          "name": "[webcalendar-announce] 20070304 Announce: Release 1.0.5 (security patch)",
          "tags": [
            "mailing-list",
            "x_refsource_MLIST"
          ],
          "url": "http://sourceforge.net/mailarchive/forum.php?thread_id=31840112\u0026forum_id=46247"
        }
      ],
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "cve@mitre.org",
          "ID": "CVE-2007-1343",
          "STATE": "PUBLIC"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "n/a",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "n/a"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "n/a"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "includes/functions.php in Craig Knudsen WebCalendar before 1.0.5 does not protect the noSet variable from external modification, which allows remote attackers to set arbitrary global variables via a URL with modified values in the noSet parameter, which leads to resultant vulnerabilities that probably include remote file inclusion and other issues."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "n/a"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "ADV-2007-0851",
              "refsource": "VUPEN",
              "url": "http://www.vupen.com/english/advisories/2007/0851"
            },
            {
              "name": "http://webcalendar.cvs.sourceforge.net/webcalendar/webcalendar/includes/functions.php?view=log",
              "refsource": "CONFIRM",
              "url": "http://webcalendar.cvs.sourceforge.net/webcalendar/webcalendar/includes/functions.php?view=log"
            },
            {
              "name": "http://sourceforge.net/project/shownotes.php?group_id=3870\u0026release_id=491130",
              "refsource": "CONFIRM",
              "url": "http://sourceforge.net/project/shownotes.php?group_id=3870\u0026release_id=491130"
            },
            {
              "name": "24519",
              "refsource": "SECUNIA",
              "url": "http://secunia.com/advisories/24519"
            },
            {
              "name": "22834",
              "refsource": "BID",
              "url": "http://www.securityfocus.com/bid/22834"
            },
            {
              "name": "DSA-1267",
              "refsource": "DEBIAN",
              "url": "http://www.debian.org/security/2007/dsa-1267"
            },
            {
              "name": "http://webcalendar.cvs.sourceforge.net/webcalendar/webcalendar/includes/functions.php?r1=1.211.2.7\u0026r2=1.211.2.8",
              "refsource": "CONFIRM",
              "url": "http://webcalendar.cvs.sourceforge.net/webcalendar/webcalendar/includes/functions.php?r1=1.211.2.7\u0026r2=1.211.2.8"
            },
            {
              "name": "webcalendar-noset-variable-overwrite(32832)",
              "refsource": "XF",
              "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/32832"
            },
            {
              "name": "24403",
              "refsource": "SECUNIA",
              "url": "http://secunia.com/advisories/24403"
            },
            {
              "name": "[webcalendar-announce] 20070304 Announce: Release 1.0.5 (security patch)",
              "refsource": "MLIST",
              "url": "http://sourceforge.net/mailarchive/forum.php?thread_id=31840112\u0026forum_id=46247"
            }
          ]
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
    "assignerShortName": "mitre",
    "cveId": "CVE-2007-1343",
    "datePublished": "2007-03-08T00:00:00.000Z",
    "dateReserved": "2007-03-07T00:00:00.000Z",
    "dateUpdated": "2024-08-07T12:50:35.036Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CERTA-2007-AVI-111

Vulnerability from certfr_avis

Une vulnérabilité de Webcalendar permet à un utilisateur malveillant d'exécuter du code arbitraire à distance sur le système vulnérable.

Description

Webcalendar est une application web de gestion d'agenda personnel ou collectif écrite en PHP.

Une erreur affecte le traitement des paramètres non spécifiés. Cette erreur permettrait à un utilisateur malveillant de modifier des variables globales et d'exécuter du code PHP arbitraire à distance.

Solution

La version 1.0.5 corrige le problème. Se référer au bulletin de sécurité de l'éditeur pour l'obtention des correctifs (cf. section Documentation).

Webcalendar version 1.0.4 et antérieures.

Impacted products

	Vendor	Product	Description

References

Title

Publication Time

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
Confirmed: The vulnerability is confirmed from an analyst perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
Patched: This vulnerability was successfully patched by the user reporting the sighting.
Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
Not confirmed: The user expresses doubt about the veracity of the vulnerability.
Not patched: This vulnerability was not successfully patched by the user reporting the sighting.

Action not permitted