CVE-2012-1495
published 2020-01-27CVE-2012-1495: install/index.php in WebCalendar before 1.2.5 allows remote attackers to execute arbitrary code via the form_single_user_login parameter.
PriorityP181critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
79.76%
99.6th percentile
install/index.php in WebCalendar before 1.2.5 allows remote attackers to execute arbitrary code via the form_single_user_login parameter.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| webcalendar_project | webcalendar | < 1.2.5 | 1.2.5 |
Detection & IOCsextracted from sources · hover to see the quote
commandapp_settings=1&form_user_inc=user.php&form_single_user_login=*/print(____);passthru(base64_decode($_SERVER[HTTP_CMD]));die;↗
- →Detect POST requests to install/index.php with parameters 'app_settings', 'form_user_inc', and 'form_single_user_login' containing PHP code (e.g., passthru, base64_decode). ↗
- →Detect GET requests to includes/settings.php with a non-standard HTTP header 'Cmd' containing base64-encoded OS commands — this is the payload execution step. ↗
- →Alert on HTTP responses from includes/settings.php containing the pattern '____' followed by command output, which is the exploit's output delimiter. ↗
- →Flag web server responses from WebCalendar matching the pattern /WebCalendar v1.2.\d/ as potentially vulnerable targets being fingerprinted by attackers. ↗
- →Monitor writes to includes/settings.php by the web server process (www-data), as exploitation injects PHP code into this file. ↗
- →Detect the presence of install/index.php on a production WebCalendar deployment; its accessibility is the prerequisite for this pre-auth RCE. ↗
- ·The exploit targets WebCalendar 1.2.4 and earlier; version 1.2.5 contains the fix. Ensure the installed version is 1.2.5 or later. ↗
- ·The attack is pre-authentication and requires no valid credentials, making network-level blocking of install/index.php critical on any exposed instance. ↗
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Exploit-DB
WebCalendar 1.2.4 - Remote Code Injection (Metasploit)
exploitdb·2012-04-29
CVE-2012-1495 WebCalendar 1.2.4 - Remote Code Injection (Metasploit)
WebCalendar 1.2.4 - Remote Code Injection (Metasploit)
---
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
class Metasploit3 "WebCalendar 1.2.4 Pre-Auth Remote Code Injection",
'Description' => %q{
This modules exploits a vulnerability found in WebCalendar, version 1.2.4 or
less. If not removed, the settings.php script meant for installation can be
update by an attacker, and then inject code in it. This allows arbitrary code
execution as www-data.
},
'License' => MSF_LICENSE,
'Author' =>
[
'EgiX', #Initial discovery & PoC
'sinn3r' #Metasploit
],
'References' =>
[
Exploit-DB
WebCalendar 1.2.4 - Remote Code Execution
exploitdb·2012-04-23·CVSS 9.8
CVE-2012-1496 [CRITICAL] WebCalendar 1.2.4 - Remote Code Execution
WebCalendar 1.2.4 - Remote Code Execution
---
$v ) {
743. if ( $v != '' && $v != '' )
744. fwrite ( $fd, $k . ': ' . $v . "\r\n" );
745. }
Restricted access to this script isn't properly realized, so an attacker might be able
to update /includes/settings.php with arbitrary values or inject PHP code into it.
[-] vulnerable code to LFI in /pref.php (CVE-2012-1496)
70. if ( ! empty ( $_POST ) && empty ( $error )) {
71. $my_theme = '';
72. $currenttab = getPostValue ( 'currenttab' );
73. save_pref ( $_POST, 'post' );
74.
75. if ( ! empty ( $my_theme ) ) {
76. $theme = 'themes/'. $my_theme . '_pref.php';
77. include_once $theme;
78. save_pref ( $webcal_theme, 'theme' );
79. }
Input passed through $_POST['pref_THEME'] isn't properly sanitized before being assigned
to $my_theme variable, th
Metasploit
WebCalendar 1.2.4 Pre-Auth Remote Code Injection
metasploit
WebCalendar 1.2.4 Pre-Auth Remote Code Injection
WebCalendar 1.2.4 Pre-Auth Remote Code Injection
This module exploits a vulnerability found in k5n.us WebCalendar, version 1.2.4 or less. If not removed, the settings.php script meant for installation can be update by an attacker, and then inject code in it. This allows arbitrary code execution as www-data.
No writeups or analysis indexed.
http://sourceforge.net/projects/webcalendar/files/webcalendar%201.2/1.2.5/https://packetstormsecurity.com/files/112323/WebCalendar-1.2.4-Pre-Auth-Remote-Code-Injection.htmlhttps://packetstormsecurity.com/files/112332/WebCalendar-1.2.4-Remote-Code-Execution.htmlhttps://www.exploit-db.com/exploits/18775http://sourceforge.net/projects/webcalendar/files/webcalendar%201.2/1.2.5/https://packetstormsecurity.com/files/112323/WebCalendar-1.2.4-Pre-Auth-Remote-Code-Injection.htmlhttps://packetstormsecurity.com/files/112332/WebCalendar-1.2.4-Remote-Code-Execution.htmlhttps://www.exploit-db.com/exploits/18775
2020-01-27
Published