Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
From: Asher Glynn (asherSECUREREALITY.COM.AU)
Date: Mon Apr 23 2001 - 09:13:32 CDT

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    Secure Reality Pty Ltd. Security Pre-Advisory #4 (SRPRE00004)

    Remote command execution vulnerabilities in WebCalendar


    This is a pre-release. This vulnerability will be discussed in detail during
    Shaun Clowes' speech at the Black Hat briefings in Asia in the week of the
    23rd of April. A full advisory will be issued following the conference

    WebCalendar 0.9.26

    All prior versions are almost certainly vulnerable but not tested

    Remote command execution by unauthenticated remote users

    The Authors have not yet been able to correct the issues in mainstream
    versions. SecureReality is providing patches for the problems, no liability
    for the performance or effectiveness of these patches is accepted.

    WebCalendar 0.9.26:

    Users of earlier versions are advised to upgrade to the versions specified
    then apply the patches.

    To apply the patches:
     - cd to the directory in which the application files are stored (e.g
     - run 'patch -p0 < *Path to patch file*'

    Advice, directions and instructions on security vulnerabilities in this
    advisory do not constitute: an endorsement of illegal behavior; a guarantee
    that protection measures will work; an endorsement of any product or
    solution or recommendations on behalf of Secure Reality Pty Ltd. Content is
    provided as is and Secure Reality Pty Ltd does not accept responsibility for
    any damage or injury caused as a result of its use.