XSS Vulnerability in Active Calendar 1.2.0

Discovered by Martin Barbella <martybarbella@gmail.com>

Description of Vulnerability:
-----------------------------
Active Calendar is PHP Class, that generates calendars (year, month or
week view) as a HTML Table (XHTML-Valid). (From:
http://micronetwork.de/activecalendar/index.php)

In the functions enableYearNav, enableMonthNav, enableDayLinks, and
enableDatePicker of the activeCalendar class, certain variables are
assigned the value of $_SERVER['PHP_SELF'] when either no value is
specified for $link, or the value of $link is false. The values of
these variables are not sanitized later, resulting in several cross
site scripting vulnerabilities.

Systems affected:
-----------------
This has been confirmed in version 1.2.0 of Active Calendar. Previous
versions may also be affected.

Impact:
-------
When a user is tricked into clicking on a malicious link or submit ... Read more »

Yesterday I wrote the article XSS vulnerabilities in 34 millions flash files
(http://websecurity.com.ua/3842/), and here is English version of it.

In December in my article XSS vulnerabilities in 8 millions flash files
(http://websecurity.com.ua/3789/) I wrote, that there are up to 34000000
of flashes tagcloud.swf in Internet which are potentially vulnerable to XSS
attacks. Taking into account that people mostly didn't draw attention in
previous article to my mentioning about another 34 millions of vulnerable
flashes, then I decided to write another article about it.

File tagcloud.swf was developed by author of plugin WP-Cumulus for WordPress
(http://websecurity.com.ua/3665/) and it's delivered with this plugin for
WordPress, and also with other plugins, particularly Joomulus
(http://websecurity.com.ua/3801/) and JVClouds3D
(http://websecurity.com.ua/3839/) for Joomla and Blogumus
(http://websecurity.com.ua/3843/) for Blogger. Taking into ... Read more »

It is similar to XSS vulnerability in Joomulus for Joomla (http://websecurity.com.ua/3801/). About millions of flash files tagcloud.swf which are vulnerable to XSS attacks I mentioned in my article XSS vulnerabilities in 8 millions flash files (http://websecurity.com.ua/3789/).

XSS:

http://site/modules/mod_jvclouds3D/jvclouds3D/tagcloud.swf?mode=tags&tagcloud=%3Ctags%3E%3Ca+href='javascript:alert(document.cookie)'+style='font-size:+40pt'%3EClick%20me%3C/a%3E%3C/tags%3E

Code will execute after click. It's strictly social XSS.

Also it's possible to conduct (like in WP-Cumulus and Joomulus) HTML
Injection attack, including in those flash files which have protection (in
flash files or via WAF) against javascript and vbscript URI in parameter
tagcloud.

HTML Injection:

http://site/modules/mod_jvclouds3D/jvclouds3D/tagcloud.swf?mode=tags&tagcloud=%3Ctags%3E%3Ca+href='http://websecurity.com.ua'+style='font-size:+40pt'%3EClick%20me%3C/a ... Read more »