CVE-2009-3702

php-calendar 1.1 - Path Traversal and Arbitrary File Execution via configfile Parameter

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 2 public exploits for CVE-2009-3702. PoCs published by Juan Galiana Lara.

AI-analyzed exploit summary This exploit demonstrates a file inclusion vulnerability in PHP-Calendar 1.1, allowing remote or local file inclusion via the 'configfile' parameter in update10.php. The PoC shows how an attacker can include arbitrary files or execute scripts in the context of the webserver.

Description

Multiple absolute path traversal vulnerabilities in PHP-Calendar 1.1 allow remote attackers to include and execute arbitrary local files via a full pathname in the configfile parameter to (1) update08.php or (2) update10.php. NOTE: in some environments, this can be leveraged for remote file inclusion by using a UNC share pathname or an ftp, ftps, or ssh2.sftp URL.

Exploits (2)

exploitdb WORKING POC VERIFIED
by Juan Galiana Lara · textwebappsphp
https://www.exploit-db.com/exploits/33437

This exploit demonstrates a file inclusion vulnerability in PHP-Calendar 1.1, allowing remote or local file inclusion via the 'configfile' parameter in update10.php. The PoC shows how an attacker can include arbitrary files or execute scripts in the context of the webserver.

Classification
Working Poc 90%
Attack Type
Rce
Complexity
Trivial
Reliability
Reliable
Target: PHP-Calendar 1.1
No auth needed
Prerequisites: Access to the target web application · Ability to craft HTTP requests
devstral-2 · analyzed Feb 16, 2026 Full analysis →
exploitdb WRITEUP VERIFIED
by Juan Galiana Lara · textwebappsphp
https://www.exploit-db.com/exploits/33436

The code describes a file inclusion vulnerability in PHP-Calendar 1.1, where unsanitized user input in the 'configfile' parameter allows remote and local file inclusion. Exploitation can lead to arbitrary code execution or sensitive information disclosure.

Classification
Writeup 90%
Attack Type
Rce
Complexity
Trivial
Reliability
Reliable
Target: PHP-Calendar 1.1
No auth needed
Prerequisites: Access to the vulnerable endpoint · Ability to craft malicious URLs
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (1)

Core 1
Core References
Third Party Advisory, VDB Entry mailing-list x_refsource_bugtraq
http://www.securityfocus.com/archive/1/508548/100/0/threaded

Scores

EPSS 0.0245
EPSS Percentile 82.2%

Details

CWE
CWE-22
Status published
Products (1)
php-calendar/php-calendar 1.1
Published Dec 22, 2009
Tracked Since Feb 18, 2026