[-] vulnerable code in /install/index.php (CVE-2012-1495)

  674.    $y = getPostValue ( 'app_settings' );
  675.    if ( ! empty ( $y ) ) {
  676.      $settings['single_user_login'] = getPostValue ( 'form_single_user_login' );
  677.      $settings['readonly'] = getPostValue ( 'form_readonly' );
  ...
  724.      // Save settings to file now.
  725.    if ( ! empty ( $x ) || ! empty ( $y ) ){
  726.      $fd = @fopen ( $file, 'w+b', false );
  727.      if ( empty ( $fd ) ) {
  728.        if ( @file_exists ( $file ) ) {
  729.          $onloadDetailStr =
  730.            translate ( 'Please change the file permissions of this file', true );
  731.        } else {
  732.          $onloadDetailStr =
  733.            translate ( 'Please change includes dir permission', true );
  734.        }
  735.        $onload = "alert('" . $errorFileWriteStr . $file. "\\n" .
  736.          $onloadDetailStr . ".');";
  737.      } else {
  738.        if ( function_exists ( "date_default_timezone_set" ) )
  739.          date_default_timezone_set ( "America/New_York");
  740.        fwrite ( $fd, "<?php\r\n" );
  741.        fwrite ( $fd, '/* updated via install/index.php on ' . date ( 'r' ) . "\r\n" );
  742.        foreach ( $settings as $k => $v ) {
  743.          if ( $v != '<br />' && $v != '' )
  744.          fwrite ( $fd, $k . ': ' . $v . "\r\n" );
  745.        }



  [-] vulnerable code to LFI in /pref.php (CVE-2012-1496)

  70.    if ( ! empty ( $_POST ) && empty ( $error )) {
  71.      $my_theme = '';
  72.      $currenttab = getPostValue ( 'currenttab' );
  73.      save_pref ( $_POST, 'post' );
  74.
  75.      if ( ! empty ( $my_theme ) ) {
  76.        $theme = 'themes/'. $my_theme . '_pref.php';
  77.        include_once $theme;
  78.        save_pref ( $webcal_theme, 'theme' );
  79.      }