WebCalendar Access Control and File Inclusion Bugs Let Remote Users Potentially Execute Arbitrary Code
1.2.4 and prior versions
Two vulnerabilities were reported in WebCalendar. A remote user may be able to execute arbitrary PHP code on the target system.
A remote user can access '/install/index.php' to potentially modify '/includes/settings/' with arbitrary values or PHP code. A remote authenticated user can send a specially crafted request to '/pref.php' to include an arbitrary local file. magic_quotes_gpc must be disabled to exploit this flaw.
A remote user may be able to execute arbitrary PHP code on the target system.
The vendor has issued a fix (1.2.5).