PHP iCalendar Multiple Vulnerabilities - Bugtraq Advisory

On October 25, 2005, researcher Francesco “aScii” Ongaro published a technical advisory on Bugtraq (via the marc.info portal) regarding a critical Remote File Inclusion vulnerability in the PHP iCalendar software, versions 2.0a2 through 2.0.1. The bulletin described a critical issue that allowed inclusion of arbitrary .php files through manipulated cookies, caused by lack of input validation in the index.php file, potentially leading to remote code execution (RCE). The exploit and technical analysis were signed by Ongaro, who also declared copyright on the content. The advisory was published simultaneously on USH.it and relaunched by various security platforms.