Intrusion Prevention

ACal.Calendar.Cookie.Based.Authentication.Bypass

Description

This indicates an attempt to exploit a cross site scripting (XSS) vulnerability in the ACal Calendar Project.
The vulnerability is due to an error in the "login.php" script. The script relies on the "ACalAuthenticate" cookie parameter to determine if a user has been successfully authenticated. This can be exploited by remote attackers to bypass the authentication process and gain unauthorized access to the application, by setting the "ACalAuthenticate" parameter to "inside".

Affected Products

ACal Project 2.2.5

Impact

Security Bypass.

Recommended Actions

Upgrade to the latest version of ACal Project (2.2.6 or later):
http://sourceforge.net/projects/acalproj.

CVE References

CVE-2006-0182