=====================================================================
                                     CERT-Renater

                          Note d'Information No. 2007/VULN117
_____________________________________________________________________

DATE                      : 16/03/2007

HARDWARE PLATFORM(S)      : /

OPERATING SYSTEM(S)       : Systems running webcalendar.

======================================================================

http://sourceforge.net/mailarchive/forum.php?thread_id=31840112&forum_id=46247
______________________________________________________________________

Version 1.0.5 of WebCalendar has been release. All 1.0.X and earlier
users are strongly encouraged to upgrade to version 1.0.5. Users of
WebCalendar 1.1.X can upgrade to the most recent code in CVS (where this
issue has been fixed). A new 1.1.X release should be made available
shortly.

You can obtain version 1.0.5 from SourceForge.net:


http://sourceforge.net/project/showfiles.php?group_id=3870&package_id=3844&release_id=491130
<http://sourceforge.net/project/showfiles.php?group_id=3870&package_id=3844&release_id=491130><br 
/>
This release fixes a potential security issue with WebCalendar 1.0.4 and
earlier. (This bug has not hit the Bugtraq list yet, but I have been
told that it will soon.) Below is an overview of the exploit:

EXPLOIT INFO:

Suggested name: Empty noSet includedir crack

Description: Recent versions of Webcalendar (including 1.0.3, 1.0.4,
1.1.2) uses a global array $noSet to list variables that can not be
set by the HTTP query string. The problem is that the variable noSet
itself isn't protected this way and hence can be set in the query
string - effectively wiping out noSet making the old includedir
exploit working WITHOUT register_globals on.



If you have any questions about this exploit of the upgrade process,
please post them to the Help/Troubleshooting forum on SourceForge.net:

http://sourceforge.net/forum/forum.php?forum_id=11588

Thanks,
Craig


======================================================================

            =========================================================
            Les serveurs de référence du CERT-Renater
            http://www.urec.fr/securite
            http://www.cru.fr/securite
            http://www.renater.fr
            =========================================================
            + CERT-RENATER          | tel : 01-53-94-20-44          +
            + 151 bd de l'Hopital   | fax : 01-53-94-20-41          +
            + 75013 Paris           | email: certsvp@renater.fr     +
            =========================================================