cbcvebase.
CVE-2012-1495
published 2020-01-27

CVE-2012-1495: install/index.php in WebCalendar before 1.2.5 allows remote attackers to execute arbitrary code via the form_single_user_login parameter.

PriorityP181critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
79.76%
99.6th percentile
install/index.php in WebCalendar before 1.2.5 allows remote attackers to execute arbitrary code via the form_single_user_login parameter.

Affected

1 ranges
VendorProductVersion rangeFixed in
webcalendar_projectwebcalendar< 1.2.51.2.5

Detection & IOCsextracted from sources · hover to see the quote

pathinstall/index.php
commandapp_settings=1&form_user_inc=user.php&form_single_user_login=*/print(____);passthru(base64_decode($_SERVER[HTTP_CMD]));die;
command*/print(____);passthru(base64_decode($_SERVER[HTTP_CMD]));die;
urlhttp://<host>/install/index.php
path/WebCalendar-1.2.4/
  • Detect POST requests to install/index.php with parameters 'app_settings', 'form_user_inc', and 'form_single_user_login' containing PHP code (e.g., passthru, base64_decode).
  • Detect GET requests to includes/settings.php with a non-standard HTTP header 'Cmd' containing base64-encoded OS commands — this is the payload execution step.
  • Alert on HTTP responses from includes/settings.php containing the pattern '____' followed by command output, which is the exploit's output delimiter.
  • Flag web server responses from WebCalendar matching the pattern /WebCalendar v1.2.\d/ as potentially vulnerable targets being fingerprinted by attackers.
  • Monitor writes to includes/settings.php by the web server process (www-data), as exploitation injects PHP code into this file.
  • Detect the presence of install/index.php on a production WebCalendar deployment; its accessibility is the prerequisite for this pre-auth RCE.
  • ·The exploit targets WebCalendar 1.2.4 and earlier; version 1.2.5 contains the fix. Ensure the installed version is 1.2.5 or later.
  • ·The attack is pre-authentication and requires no valid credentials, making network-level blocking of install/index.php critical on any exposed instance.

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.