741288 – (CVE-2011-3814) CVE-2011-3814 WebCalendar: Installation path disclosure via a direct request to a ws/user_mod.php file

Bug 741288 (CVE-2011-3814) - CVE-2011-3814 WebCalendar: Installation path disclosure via a direct request to a ws/user_mod.php file

Summary: CVE-2011-3814 WebCalendar: Installation path disclosure via a direct request ...

Keywords:
Status:	CLOSED ERRATA
Alias:	CVE-2011-3814
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	low
Severity:	low
Target Milestone:	---
Assignee:	Red Hat Product Security
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	741290
Blocks:
TreeView+	depends on / blocked

Reported:	2011-09-26 13:54 UTC by Jan Lieskovsky
Modified:	2019-09-29 12:47 UTC (History)
CC List:	1 user (show)
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2011-10-24 09:46:13 UTC

Attachments	(Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

Description Jan Lieskovsky 2011-09-26 13:54:16 UTC

Common Vulnerabilities and Exposures assigned an identifier CVE-2011-3814 to
the following vulnerability:

WebCalendar 1.2.3 allows remote attackers to obtain sensitive information via a direct request to a .php file, which reveals the installation path in an error message, as demonstrated by ws/user_mod.php and certain other files.

References:
[1] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3814
[2] http://www.openwall.com/lists/oss-security/2011/06/27/6
[3] http://code.google.com/p/inspathx/source/browse/trunk/paths_vuln/%21_README
[4] http://code.google.com/p/inspathx/source/browse/trunk/paths_vuln/WebCalendar-1.2.3

Comment 1 Jan Lieskovsky 2011-09-26 13:55:25 UTC

This issue affects the versions of the WebCalendar package, as shipped with Fedora release of 14 and 15. Please schedule an update.

Comment 2 Jan Lieskovsky 2011-09-26 13:56:41 UTC

Created WebCalendar tracking bugs for this issue

Affects: fedora-all [bug 741290]

Comment 3 Fedora Update System 2011-10-22 08:28:50 UTC

WebCalendar-1.2.3-5.fc15 has been pushed to the Fedora 15 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 4 Fedora Update System 2011-10-22 08:29:47 UTC

WebCalendar-1.2.3-5.fc14 has been pushed to the Fedora 14 stable repository.  If problems still persist, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.