export_handler.php in WebCalendar 1.0.1 allows remote malicious users to overwrite WebCalendar data files via a modified id parameter.
webcalendar webcalendar 1.0.1