WebCalendar PHP Application Vulnerabilities Prior to version 1.2.7

Number: AV14-099
Date: 5 December 2014


The purpose of this advisory is to draw attention to known vulnerabilities in the WebCalendar PHP application prior to version 1.2.7 and the risks involved when deployed.


It has been observed by security researchers that a notably large sum of websites which host malicious software and phishing pages, do so as a result of vulnerabilities in the WebCalendar PHP application prior to version 1.2.7. Hosting an outdated instance of this application on your network presents a security risk to your network and anyone accessing it.

WebCalendar PHP application is used to maintain a calendar for single users or a group of intranet users. WebCalendar is widely used over the internet and has been downloaded over 1,000,000 times since it was originally released.

Malicious actors have been observed targeting publicly accessible installations of WebCalendar for the purpose of exploitation in order to serve their malicious files from legitimate web sites. After successfully exploiting a host that is running WebCalendar, the malicious actors can upload malicious files/pages. Malicious actors will then disseminate the URL of the malicious files to unsuspecting victims using a now compromised legitimate domain name to disguise the malicious download.

CVE Reference: CVE-2013-1421, CVE-2012-5385, CVE-2012-5384

Suggested Action

Any server administrators running WebCalendar prior to version 1.2.7 on their server are advised to upgrade to 1.2.7 as earlier versions contain various security vulnerabilities.


Note to Readers

In support of Public Safety's mission to build a safe and resilient Canada, CCIRC's mandate is to help ensure the security and resilience of the vital non-federal government cyber systems that underpin Canada's national security, public safety and economic prosperity. As Canada's computer security incident response team, CCIRC is Canada's national coordination centre for the prevention and mitigation of, preparedness for, response to, and recovery from cyber incidents on non-federal government systems. It does this by providing authoritative advice and support, and coordinating information sharing and incident response.

Please note, CCIRC PGP key has recently been updated.

For general information, please contact Public Safety Canada's Public Affairs division at:

Telephone: 613-944-4875 or 1-800-830-3118
Fax: 613-998-9589
E-mail: ps.communications-communications.sp@canada.ca

Date modified: