[VIM] [ISecAuditors Security Advisories] PHP-Calendar <= v1.1 'configfile' Remote and Local File Inclusion vulnerability

George A. Theall theall at tenablesecurity.com
Tue Dec 22 20:04:30 UTC 2009

A bit of clarification about the advisory ISecAuditors made in their  
advisory about PHP-Calendar, as covered by CVE-2009-3702...

The ISecAuditors advisory includes a code snippet from update08.php as  
distributed with version 1.1:

   36 } elseif(!empty($_GET['configfile'])) {
   37 if(file_exists($_GET['configfile'])) {
   38 require_once($_GET['configfile']);

Looks pretty bad, doesn't it? Now look at an expanded code snippet  
from that same file:

   $phpc_root_path = './';

   require_once($phpc_root_path . "includes/calendar.php");

   $have_config = false;
   if(file_exists($phpc_root_path . 'config.php')) {
           require_once($phpc_root_path . 'config.php');
           $have_config = true;
   } elseif(file_exists($phpc_root_path . 'config.inc.php')) {
           require_once($phpc_root_path . 'config.inc.php');
           $have_config = true;
   } elseif(!empty($_GET['configfile'])) {
           if(file_exists($_GET['configfile'])) {
                   $have_config = true;

Now you can see you only reach the vulnerable code if two conditions  
are unmet, each of which checks for a config file, presumably from an  
earlier install of some version or another. In other words, the  
vulnerability is only exploitable if the software has not been already  
installed or the installation was broken by having its config file(s)  

theall at tenablesecurity.com

More information about the VIM mailing list