PHP iCalendar XSS and File Inclusion Vulnerabilities

On October 25, 2005, the CXSecurity portal published a technical advisory on XSS and file inclusion vulnerabilities found in the PHP iCalendar software, attributing the discovery to Francesco “ascii” Ongaro. The advisory describes in detail how the lack of input validation in the index.php file allowed arbitrary inclusion of PHP files through manipulated cookies, making the software vulnerable to remote attacks. The document includes exploit code, risk analysis (CVSS 6.8/10), and references to the disclosure timeline and correction implemented by the vendor. Ongaro is credited as the bulletin’s author and copyright holder.