Type Confusion in craigk5n/webcalendar


Reported on

Oct 1st 2021


During the comparisons of different variables, php will automatically convert the data into a common, comparable type. This leads to a variety of problems and might even cause security vulnerabilities.

https://github.com/craigk5n/webcalendar has type juggling vulnerabilities that allows auth bypass as shown below:

Proof of Concept

webcalendar uses md5 to store user provided passwords and stored in a configuration file as follows:

  fwrite( $fd, '<?php' . "\r\n" . 'install_password: ' . md5( $pwd1 )
     . "\r\n?>\r\n" );
  fclose( $fd );

later, it uses this conf file to perform auth checks, under certain circunstaces this checks can be bypassed because type juggling and magic hashes.

Payload: Go to http://localhost/webcalendar-master/install/index.php Enter password:


This generates the settings file /var/www/html/webcalendar-master/includes/settings.php with the following content:

install_password: 0e461721121374870411609769578212

The following block checks for the password, however uses == to verify it. Thus making it vulnerable to Auth bypass using type conversion magic hashes:

  if( md5( $pwd ) == $password ) {
    $_SESSION['validuser'] = $password;
    echo translate( 'Password Accepted' ) . '</title>
    <meta http-equiv="refresh" content="0; index.php" />

Now go to: http://localhost/webcalendar-master/install/index.php And enter a different password , for example:


And observe the login is correct


This vulnerability is capable of bypassing authentication

We created a GitHub Issue asking the maintainers to create a SECURITY.md 2 years ago
Craig Knudsen validated this vulnerability 2 years ago
hitisec has been awarded the disclosure bounty
The fix bounty is now up for grabs
Craig Knudsen
2 years ago


There is an open pull request that addresses this issue: https://github.com/craigk5n/webcalendar/pull/250/files It should be merged into master in the next week.

Craig Knudsen
a year ago


This has been merged into master and boostrap-ui branches.

a year ago



a year ago



Craig Knudsen
a year ago


The fix for this was included in the WebCalendar v1.9.0 release.

Craig Knudsen marked this as fixed in v1.9.0 with commit d7784e a year ago
Craig Knudsen has been awarded the fix bounty
This vulnerability will not receive a CVE
index.php#L178-L183 has been validated
to join this conversation