From the information I have received about the com_extcalendar (com_extcal2) vulnerabilities, there are currently two flavors of the exploit circling around. To make matters worse, this component is no longer actively developed hence we don't expect a proper patch to come around soon enough to be effective so I can only recommend that you migrate to a newer/more actively developed calendar component. For those that need time to do this type of thing, I have added another mod_rewrite condition to the ruleset I have been developing that will hopefully address the exploits that are going around (one version was actually already blocked by my mod_rewrite rule set, I like good surprises!)
If you would like to go this route, you can find the mod_rewrite rules in this thread
http://forum.joomla.org/index.php/topic,75376.0.html Also, Elpie noticed that the vulnerability is caused by a lack of valid component checking that all Joomla files are supposed to do before they execute any code. The code below should be in every 3rd party component file.
- Code: Select all
// no direct access
defined( '_VALID_MOS' ) or die( 'Restricted access' );
Another option for those of you that need time to migrate away from com_extCalender would be to manually insert those two lines of code toward the top (but underneat the first comment chunk that starts with /* and ends with */ ) of all the files that were installed by com_extCalender in the /path/to/Joomla/components/com_extcalender/ and /path/to/Joomla/administrator/components/com_extcalender/ directories. That will be a rather labor intensive project though because there are quite a few files and I cannot guarantee that addition will fix the problem all together.