PHP-Calendar SQL Credential Disclosure

30 November -0001

PHP-Calendar (http://www.php-calendar.com) was "written for a college social group at Northeastern University to keep track of events, etc. We were previously using localendar, which I (Sean Proctor) didn't like and had some problems with. I found CST-Calendar which did most of what I wanted, but was rather ugly and missed some features that we needed. So, I gradually re-wrote CST-Calendar since that project seemed to have stopped work entirely."

This vulnerability centers around the fact that PHP-Calendar comes with update scripts to update previous versions of the software. These scripts will print to the screen the database host, username, password, database name, table prefix, and database type. This file is named in two separate conventions depending on the installed version of PHP-Calendar. In versions prior to 1.1 this file is named "update.php" in version 1.1 two files exist named "update08.php" and "update10.php". Calling these files via a web browser (e.x. http://targetsite.com/phpcalendar/update.php) will print a succinct message including the above described information.

Determining version of PHP-Calendar is often trivial as a NEWS file is included in every distribution that will reveal version information. Browsing to http://targetsite.tld/phpcalendar/NEWS will display the versioning information if that file is present. Note that several versions of PHP-Calendar are affected by other vulnerabilities (SQL injection - http://www.securityfocus.com/bid/13405/, remote file inclusion - http://www.securityfocus.com/bid/12127/).

Remediation

Removal of the update scripts and all other unnecessary files (AUTHORS, COPYING, FAQ, INSTALL, NEWS, README, UPDATE) should remedy this vulnerability. Unfortunately instructions about the removal of these files is not included in the installation guide or the automated install scripts.