PROBLEM:
WebCalendar Access Control and File Inclusion Bugs Let Remote Users Potentially Execute Arbitrary Code
PLATFORM:
1.2.4 and prior versions
ABSTRACT:
Two vulnerabilities were reported in WebCalendar. A remote user may be able to execute arbitrary PHP code on the target system.
reference links:
SecurityTracker Alert ID: 1026966
CVE-2012-1495
CVE-2012-1496
IMPACT ASSESSMENT:
Medium
Discussion:
A remote user can access '/install/index.php' to potentially modify '/includes/settings/' with arbitrary values or PHP code. A remote authenticated user can send a specially crafted request to '/pref.php' to include an arbitrary local file. magic_quotes_gpc must be disabled to exploit this flaw.
Impact:
A remote user may be able to execute arbitrary PHP code on the target system.
Solution:
The vendor has issued a fix (1.2.5).