CVE-2007-1343 - OpenCVE

includes/functions.php in Craig Knudsen WebCalendar before 1.0.5 does not protect the noSet variable from external modification, which allows remote attackers to set arbitrary global variables via a URL with modified values in the noSet parameter, which leads to resultant vulnerabilities that probably include remote file inclusion and other issues.

No CVSS v3.1

No CVSS v3.0

Access Vector Network

Access Complexity Low

Authentication None

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact Partial

AV:N/AC:L/Au:N/C:P/I:P/A:P

Vendors & Products
CPE Configurations

Vendors	Products
Webcalendar	Webcalendar

Configuration 1 [-]

OR	cpe:2.3:a:webcalendar:webcalendar:1.0.0:::::::*
	cpe:2.3:a:webcalendar:webcalendar:1.0.1:::::::*
	cpe:2.3:a:webcalendar:webcalendar:1.0.2:::::::*
	cpe:2.3:a:webcalendar:webcalendar:1.0.3:::::::*
	cpe:2.3:a:webcalendar:webcalendar:1.0.4:::::::*

References

Link	Resource
http://secunia.com/advisories/24403	Patch Vendor Advisory
http://secunia.com/advisories/24519
http://sourceforge.net/mailarchive/forum.php?thread_id=31840112&forum_id=46247
http://sourceforge.net/project/shownotes.php?group_id=3870&release_id=491130	Patch
http://webcalendar.cvs.sourceforge.net/webcalendar/webcalendar/includes/functions.php?r1=1.211.2.7&r2=1.211.2.8	Patch
http://webcalendar.cvs.sourceforge.net/webcalendar/webcalendar/includes/functions.php?view=log	Patch
http://www.debian.org/security/2007/dsa-1267
http://www.securityfocus.com/bid/22834	Patch Vendor Advisory
http://www.vupen.com/english/advisories/2007/0851
https://exchange.xforce.ibmcloud.com/vulnerabilities/32832

History

No history.

MITRE Information

Status: PUBLISHED

Assigner: mitre

Published: 2007-03-08T00:00:00

Updated: 2017-07-28T12:57:01

Reserved: 2007-03-07T00:00:00

Link: CVE-2007-1343

JSON object: View

NVD Information

Status : Modified

Published: 2007-03-08T22:19:00.000

Modified: 2017-07-29T01:30:44.687

Link: CVE-2007-1343

JSON object: View

Redhat Information

No data.

CWE

NVD-CWE-Other

{"containers": {"cna": {"affected": [{"product": "n/a", "vendor": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "datePublic": "2007-03-04T00:00:00", "descriptions": [{"lang": "en", "value": "includes/functions.php in Craig Knudsen WebCalendar before 1.0.5 does not protect the noSet variable from external modification, which allows remote attackers to set arbitrary global variables via a URL with modified values in the noSet parameter, which leads to resultant vulnerabilities that probably include remote file inclusion and other issues."}], "problemTypes": [{"descriptions": [{"description": "n/a", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2017-07-28T12:57:01", "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre"}, "references": [{"name": "ADV-2007-0851", "tags": ["vdb-entry", "x_refsource_VUPEN"], "url": "http://www.vupen.com/english/advisories/2007/0851"}, {"tags": ["x_refsource_CONFIRM"], "url": "http://webcalendar.cvs.sourceforge.net/webcalendar/webcalendar/includes/functions.php?view=log"}, {"tags": ["x_refsource_CONFIRM"], "url": "http://sourceforge.net/project/shownotes.php?group_id=3870&release_id=491130"}, {"name": "24519", "tags": ["third-party-advisory", "x_refsource_SECUNIA"], "url": "http://secunia.com/advisories/24519"}, {"name": "22834", "tags": ["vdb-entry", "x_refsource_BID"], "url": "http://www.securityfocus.com/bid/22834"}, {"name": "DSA-1267", "tags": ["vendor-advisory", "x_refsource_DEBIAN"], "url": "http://www.debian.org/security/2007/dsa-1267"}, {"tags": ["x_refsource_CONFIRM"], "url": "http://webcalendar.cvs.sourceforge.net/webcalendar/webcalendar/includes/functions.php?r1=1.211.2.7&r2=1.211.2.8"}, {"name": "webcalendar-noset-variable-overwrite(32832)", "tags": ["vdb-entry", "x_refsource_XF"], "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/32832"}, {"name": "24403", "tags": ["third-party-advisory", "x_refsource_SECUNIA"], "url": "http://secunia.com/advisories/24403"}, {"name": "[webcalendar-announce] 20070304 Announce: Release 1.0.5 (security patch)", "tags": ["mailing-list", "x_refsource_MLIST"], "url": "http://sourceforge.net/mailarchive/forum.php?thread_id=31840112&forum_id=46247"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "cve@mitre.org", "ID": "CVE-2007-1343", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "n/a", "version": {"version_data": [{"version_value": "n/a"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "includes/functions.php in Craig Knudsen WebCalendar before 1.0.5 does not protect the noSet variable from external modification, which allows remote attackers to set arbitrary global variables via a URL with modified values in the noSet parameter, which leads to resultant vulnerabilities that probably include remote file inclusion and other issues."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "n/a"}]}]}, "references": {"reference_data": [{"name": "ADV-2007-0851", "refsource": "VUPEN", "url": "http://www.vupen.com/english/advisories/2007/0851"}, {"name": "http://webcalendar.cvs.sourceforge.net/webcalendar/webcalendar/includes/functions.php?view=log", "refsource": "CONFIRM", "url": "http://webcalendar.cvs.sourceforge.net/webcalendar/webcalendar/includes/functions.php?view=log"}, {"name": "http://sourceforge.net/project/shownotes.php?group_id=3870&release_id=491130", "refsource": "CONFIRM", "url": "http://sourceforge.net/project/shownotes.php?group_id=3870&release_id=491130"}, {"name": "24519", "refsource": "SECUNIA", "url": "http://secunia.com/advisories/24519"}, {"name": "22834", "refsource": "BID", "url": "http://www.securityfocus.com/bid/22834"}, {"name": "DSA-1267", "refsource": "DEBIAN", "url": "http://www.debian.org/security/2007/dsa-1267"}, {"name": "http://webcalendar.cvs.sourceforge.net/webcalendar/webcalendar/includes/functions.php?r1=1.211.2.7&r2=1.211.2.8", "refsource": "CONFIRM", "url": "http://webcalendar.cvs.sourceforge.net/webcalendar/webcalendar/includes/functions.php?r1=1.211.2.7&r2=1.211.2.8"}, {"name": "webcalendar-noset-variable-overwrite(32832)", "refsource": "XF", "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/32832"}, {"name": "24403", "refsource": "SECUNIA", "url": "http://secunia.com/advisories/24403"}, {"name": "[webcalendar-announce] 20070304 Announce: Release 1.0.5 (security patch)", "refsource": "MLIST", "url": "http://sourceforge.net/mailarchive/forum.php?thread_id=31840112&forum_id=46247"}]}}}}, "cveMetadata": {"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "cveId": "CVE-2007-1343", "datePublished": "2007-03-08T00:00:00", "dateReserved": "2007-03-07T00:00:00", "dateUpdated": "2017-07-28T12:57:01", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.0"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:webcalendar:webcalendar:1.0.0:*:*:*:*:*:*:*", "matchCriteriaId": "8B4B3D85-86AC-4346-9073-BB2CD26A8C6B", "vulnerable": true}, {"criteria": "cpe:2.3:a:webcalendar:webcalendar:1.0.1:*:*:*:*:*:*:*", "matchCriteriaId": "81651E6E-201C-4513-BFAB-F19A4C1A6E37", "vulnerable": true}, {"criteria": "cpe:2.3:a:webcalendar:webcalendar:1.0.2:*:*:*:*:*:*:*", "matchCriteriaId": "7059C029-D258-439B-B1E2-3302E4BAD836", "vulnerable": true}, {"criteria": "cpe:2.3:a:webcalendar:webcalendar:1.0.3:*:*:*:*:*:*:*", "matchCriteriaId": "D4BC98A1-5D3F-435D-A604-3F4CA9E13C74", "vulnerable": true}, {"criteria": "cpe:2.3:a:webcalendar:webcalendar:1.0.4:*:*:*:*:*:*:*", "matchCriteriaId": "8766B333-F2CF-4562-A7A9-FAC7E39D4470", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "includes/functions.php in Craig Knudsen WebCalendar before 1.0.5 does not protect the noSet variable from external modification, which allows remote attackers to set arbitrary global variables via a URL with modified values in the noSet parameter, which leads to resultant vulnerabilities that probably include remote file inclusion and other issues."}, {"lang": "es", "value": "includes/functions.php de Craig Knudsen WebCalendar before 1.0.5 no protege la variable noSet de modificaciones externas, lo cual permite a atacantes remotos asignar valor a variables globales de su elecci\u00f3n mediante una URL con valores modificados en el par\u00e1metro noSet, que conduce a vulnerabilidades resultantes que probablemente incluyen inclusi\u00f3n remota de ficheros y otros ataques."}], "id": "CVE-2007-1343", "lastModified": "2017-07-29T01:30:44.687", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "HIGH", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 7.5, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 6.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": true, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}]}, "published": "2007-03-08T22:19:00.000", "references": [{"source": "cve@mitre.org", "tags": ["Patch", "Vendor Advisory"], "url": "http://secunia.com/advisories/24403"}, {"source": "cve@mitre.org", "url": "http://secunia.com/advisories/24519"}, {"source": "cve@mitre.org", "url": "http://sourceforge.net/mailarchive/forum.php?thread_id=31840112&forum_id=46247"}, {"source": "cve@mitre.org", "tags": ["Patch"], "url": "http://sourceforge.net/project/shownotes.php?group_id=3870&release_id=491130"}, {"source": "cve@mitre.org", "tags": ["Patch"], "url": "http://webcalendar.cvs.sourceforge.net/webcalendar/webcalendar/includes/functions.php?r1=1.211.2.7&r2=1.211.2.8"}, {"source": "cve@mitre.org", "tags": ["Patch"], "url": "http://webcalendar.cvs.sourceforge.net/webcalendar/webcalendar/includes/functions.php?view=log"}, {"source": "cve@mitre.org", "url": "http://www.debian.org/security/2007/dsa-1267"}, {"source": "cve@mitre.org", "tags": ["Patch", "Vendor Advisory"], "url": "http://www.securityfocus.com/bid/22834"}, {"source": "cve@mitre.org", "url": "http://www.vupen.com/english/advisories/2007/0851"}, {"source": "cve@mitre.org", "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/32832"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "NVD-CWE-Other"}], "source": "nvd@nist.gov", "type": "Primary"}]}