CVE-2006-1292

Name of the Vulnerable Software and Affected Versions PHP iCalendar versions 2.21 and earlier

Description A directory traversal issue allows remote attackers to include and execute arbitrary local files. This is achieved by using directory traversal sequences and a NUL (%00) character in the phpicalendar[cookie language] and phpicalendar[cookie style] cookies. An example of exploitation is injecting PHP sequences into an Apache access log file, which is then included by day.php.

Recommendations For PHP iCalendar versions 2.21 and earlier, consider restricting access to the day.php file and avoid using the phpicalendar[cookie language] and phpicalendar[cookie style] cookies until a patch is available. As a temporary workaround, restrict the ability to inject PHP sequences into log files to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.