CVE-2006-1292

PHP iCalendar <2.21 - Path Traversal

Title source: llm

Description

Directory traversal vulnerability in Jim Hu and Chad Little PHP iCalendar 2.21 and earlier allows remote attackers to include and execute arbitrary local files via directory traversal sequences and a NUL (%00) character in the phpicalendar[cookie_language] and phpicalendar[cookie_style] cookies, as demonstrated by injecting PHP sequences into an Apache access_log file, which is then included by day.php.

Exploits (1)

exploitdb WORKING POC VERIFIED

by rgod · phpwebappsphp

https://www.exploit-db.com/exploits/1585

View Code ZIP pw:eip

References (4)

[Third Party Advisory, VDB Entry] http://www.securityfocus.com/bid/17125

[Third Party Advisory] http://secunia.com/advisories/19285

[Third Party Advisory] http://www.vupen.com/english/advisories/2006/1019

[Exploit, Third Party Advisory] https://www.exploit-db.com/exploits/1585

Scores

EPSS 0.0730

EPSS Percentile 91.7%

Details

Status published

Products (7)

php_icalendar/php_icalendar 2.0

php_icalendar/php_icalendar 2.0.1

php_icalendar/php_icalendar 2.0a2

php_icalendar/php_icalendar 2.0b

php_icalendar/php_icalendar 2.0c

php_icalendar/php_icalendar 2.1

php_icalendar/php_icalendar < 2.2.1

Published Mar 19, 2006

Tracked Since Feb 18, 2026