[VIM] Source VERIFY - Light Weight Calendar issue is eval injection

Steven M. Christey coley at mitre.org
Sat Mar 18 19:05:35 EST 2006


I did some source code inspection of the Light Weight Calendar issue
reported here:

  http://www.milw0rm.com/exploits/1570

(date parameter to index.php).

The issue is due to eval injection in cal.php.

index.php merely requires cal.php.  calEnter() is called at the top
level of cal.php.  It calls calOpen(), which sets $date to
$_REQUEST['date'], calling calMain() with the $date arugment, which
calls calLeftSide with the $date argument, which is inserted into a $s
variable, which is then fed directly into eval($s).


More information about the VIM mailing list