socsam has discovered a vulnerability in WebCalendar,
which can be exploited by malicious people to bypass
certain security restrictions and disclose sensitive
information.
Input passed to the "includedir" parameter isn't properly
verified, before it is used in an "fopen()" call. This can
be exploited to load an arbitrary setting file from an
external web site.
This can further be exploited to disclose the content of
arbitrary files by defining the "user_inc" variable in a
malicious setting file.
Successful exploitation requires that "register_globals"
is enabled.