Lumension® Endpoint Intelligence Center

Intelligence Center » Browse All Vulnerabilities » CVE-2006-1291

Overview

Vulnerability Score 7.5 7.5
CVE Id CVE-2006-1291
Last Modified 07 Mar 2011 09:32:43
Published 19 Mar 2006 06:02:00
Confidentiality Impact PARTIAL PARTIAL
Integrity Impact PARTIAL PARTIAL
Availability Impact PARTIAL PARTIAL
Access Vector NETWORK
Access Complexity LOW
Authentication NONE

CVE-2006-1291

Summary

publish.ical.php in Jim Hu and Chad Little PHP iCalendar 2.21 and earlier does not require authentication for write access to the calendars directory, which allows remote attackers to upload and execute arbitrary PHP scripts via a WebDAV PUT request with a filename containing a .php extension and a trailing null character.

Vulnerable Systems

Application

  • Php Icalendar 2.0

  • Php Icalendar 2.0.1

  • Php Icalendar 2.0a2

  • Php Icalendar 2.0b

  • Php Icalendar 2.0c

  • Php Icalendar 2.1

  • Php Icalendar 2.2.1


References

VUPEN - ADV-2006-1019

BID - 17129

MILW0RM - 1586

MISC - http://downloads.securityfocus.com/vulnerabilities/exploits/php-iCalendar-221.upload.php

SECUNIA - 19285


Last Updated: 27 May 2016 10:42:00