[UPGRADE AVAIL.] ExtCalendar Vulnerability

[Floranett]

That vulnerability has already been fixed in the upgrade that we should have out soon.
We are in the final testing stages now.

Thats great news Elpie

[Gregorius]

Great news indeed.. thank you for your efforts guys... its muchly appreciated.

[leolam]

Client of mine also hacked...nothing wrong with configuration.php but the index.php was replaced......
waiting for the patch.....
cheers
Leo

[Elpie]

Testing is well underway Leo - hope to have it available for you soon.

[leolam]

Testing is well underway Leo - hope to have it available for you soon.

need testing and hack-attempt assistance?
cheers
Leo

[RobinH]

Testing is well underway Leo - hope to have it available for you soon.

need testing and hack-attempt assistance?
cheers
Leo

Ditto here.  I'm on a VPS and haven't had any hack attempts since moving to it, but would be willing to do testing with you.

[lboccia]

I dashur Albi,
  can you confirm that using the Calendar version you suggested there are no known security issues?

Të fala (Regards),
Luigi

[svenl]

Testing is well underway Leo - hope to have it available for you soon.

Thanks for this.

Even if it still are a "beta" and in testing mode, is it possible to have "hands on it" and start implement ExCalendar again.

Is it anybody that also will start to develop this component futher??

/Sven

[Elpie]

We are not releasing it until it has been thoroughly tested.  The reason for this is that we need to be certain that it works as intended without causing problems. When we looked into the code we found that there was a lot more to do to fix security issues than just preventing direct access and we had to write the update so it would install the new version and completely remove the old one.

Do NOT uninstall the ExtCalendar you have now, through the Joomla backend admin, unless you have a backup or are prepared to lose all your events. The current version deletes all its data tables when it is uninstalled.

And, don't worry, ExtCalendar is not an orphan project any more. We will be looking after it

[PhilTaylor-Prazgod]

Do NOT uninstall the ExtCalendar you have now

Misleading advice.

Possibly reword like this:

"Do not use the Joomla Uninstall method in Joomla ADmin for uninstalling extCalendar right now as the would remove your events and they would be lost for ever - HOWEVER YOU MUST remove manually using FTP or SSH the /components/com_extcalandar/ folder and all files below in order to prevent your site getting hacked."


:-)~ :-)

[Elpie]

Agreed, I missed a couple of words   Fixed that now.
All going well, the release should only be a matter of hours away.

[RobinH]

Actually I don't think that removing the component, regardless of the method used, is a 'must'.  If your site is secure, and in my case on your own server, the odds of a hacking event are somewhat mitigated.

I don't think we should state that just because there's an issue, users should remove the product.  And how long will we have to wait for the fix?  I doubt we have to wait much longer, as these guys seem to really have pride in their product and my feel is they'll be providing us a very good solution in very little time. 

I just would hate to "stampede the cattle" by shouting 'fire, fire, fire' when some of us may be at risk, but not been hacked, but the hack-proof solution is soon to come.  Most of us get that knee-jerk reaction when we start hearing about these hacker events, but there are enough suggestions floating around to where I believe one could secure their site well enough until the solution is provided.

Anyway, that's my thought on this.  I'm waiting patiently for that update myself, as I feel that this product is now an integral part of my site and I definitely don't want to lose it.

[PhilTaylor-Prazgod]

If your site is secure, and in my case on your own server, 

Exactly how many Joomla Users have that though???? And even if they do - do they have the knowledge to make a server secure - probably not.

Try telling that the the people that got hacked - to the 50+ people that have employed my company to fix their sites after the hackers.... Some of which were dedicated servers!

I'm not yelling fire fire fire - Im being real and serious about a real and expanding threat to hacking of 3PD

[leolam]

Misleading advice.
Possibly reword like this:
"Do not use the Joomla Uninstall method in Joomla ADmin for uninstalling extCalendar right now as the would remove your events and they would be lost for ever - HOWEVER YOU MUST remove manually using FTP or SSH the /components/com_extcalandar/ folder and all files below in order to prevent your site getting hacked."

Incorrect wording and confusing for newbies and people who do not have YOUR knowledge!

Please realise that we (more experienced people) are here to help and protect the users of this fantastic Joomla-product and that we are not in this to play games and use the situation to promote!

Most likely rewording so people with less KB understand this as well!:

"Do NOT uninstall the ExtCalendar you have now, through the Joomla backend admin, because you will loose all your events.  The current version deletes all its data tables where the events are stored when it is uninstalled through the uninstaller of the admin backend." If you want to maintain your events which are stored in the database-tables while waiting for the new EXT Calendar patch you should strongly consider to remove manually (using FTP or your cPanel-filemanager or equivalent panel) the /components/com_extcalandar/ folder and all files below. This will secure for now your system from being hacked through this component and keeps your events in the database for future use when the new files and folders are available whch will be soon."

next@ Phil...You promote on your website a hack for download solving this issue... Your rewording above is though contradiction to the "patch" on your site since it advises to remove the folders instead of applying the patch as you promote on your site? Can you please clarify this to avoid misunderstanding?

Try telling that the the people that got hacked - to the 50+ people that have employed my company to fix their sites after the hackers....
I'm not yelling fire fire fire - Im being real and serious about a real and expanding threat to hacking of 3PD

I am simply asking how your rewording from above fits this message. The people who are currently working on this new patch are addressing serious sql-issues and others related to EXT Calendar as well.....Could you shine your light on this as well because it seems that a little bit more is present than you have addressed in your patch if i understand this correct? Please advise becasue i would love to know if i can use your patch you have installed with your 50 or so users or should i uninstall as you suggest in your rewording? Is your patch safe and does it solves the issue?

thanks
Cheers
Leo

[PhilTaylor-Prazgod]

Client of mine also hacked...nothing wrong with configuration.php but the index.php was replaced......
waiting for the patch.....
cheers
Leo

Maybe if the "more experienced" had advised his customer correctly he would not hack got hacked !!
Maybe if the "more experienced" had the experience he could patch or help his customer right away?

Please realise that we (more experienced people) are here to help and protect the users of this fantastic Joomla-product and that we are not in this to play games and use the situation to promote!

Not sure if you are counting your self more experienced then me or that you think I am trying to promote my services ? or both.  Infact I do this for a living is a fact - I cant change that - and yes I do charge and yes I do make money - get over it - thats my job! - it also means that I am very experienced.

At the end of the day if users leave excalendar.php or file_upload.php or image_upload.php on their server they seriously risk getting hacked. Even if they are leaving it there waiting for a new release to be made.

Two choices:
1) remove the files - dont get hacked
2) leave the files - risk getting hacked.

I personally was involved in one of the first hacks of this wave last friday - and since then I have spend 12 hours of every day - along with two staff members fixing hacked sites around the world.  I am experienced in the hackers methods and entry points and know I personally can protect a server from hacking.

[leolam]

@leo
Im not interested in your nit picking personal flaming thread posts - go and find some one else to troll and I'll simply get on with doing what I was doing before you decided to popin.

may i object to this flame and abuse? I ask you a very descent question, one which is not flaming and one which is very fair question? I asked you if your thread was solving the issue and i made a clarification on the remark. What is wrong with asking if your solution solves it? OPlease advise  why you need to be aggresive and abusive?

Client of mine also hacked...nothing wrong with configuration.php but the index.php was replaced......
waiting for the patch.....
cheers
Leo

Maybe if the "more experienced" had advised his customer correctly he would not hack got hacked !!

thanks you for that...I could reply very easy with a remark that i read somewhere that you just helped 50 of your customers but i won't becasue i just asked a descent question on which i have not yet got an answer. Does your patch solves the issue was the question? If so I am happy and we will apply ity to the customer's site!!

Please note that i do not understand your aggression and or your frustration. I even posted a thank you message on your blog at http://blog.phil-taylor.com for sharing your solution with us...I read now that we have other developments (Elpie's posts) and possible other hacks or releases and i ask a question......the answer is insults? May I be displeased with that approach?

Cheers
Leo

[PhilTaylor-Prazgod]

just helped 50 of your customers

Actually they were not customers of mine  - but they are now cause they knew where to turn when they were let down by other so called "more experienced"

The fact is, and this thread proves, that there is a lot of people thinking they are qualified to give advice.  Even bad advice. 

Your posts have done nothing for this thread.

I conclude (on topic)

If you have files extcalendar.php, file_upload.php, image_upload.php (or perForms) on your site then you are liable to be hacked if have not taken action to remove, patch, or protect yourself agains a string of automated, self replicating attacks.  You are also vunerable if you have taken action based on some incorrect advice (like modifing htaccess files I read somewhere)

You have been warned.

[leolam]

The fact is, and this thread proves, that there is a lot of people thinking they are qualified to give advice.  Even bad advice. 

completely agree without doubt!

If you have files extcalendar.php, file_upload.php, image_upload.php (or perForms) on your site then you are liable to be hacked if have not taken action to remove, patch, or protect yourself agains a string of automated, self replicating attacks.  You are also vunerable if you have taken action based on some incorrect advice (like modifing htaccess files I read somewhere)
You have been warned.

which is without doubt an excellent advise! but:

Phil,
once again I ask you if your patch which is downloadable from your site solves indefinitely this vulnarability which has been discovered recently? Is it too much asked to give a straight answer to that question which is a fair request? On the bad advise i do concur by the way. the .htaccess remarks are not applicable in this situation and does not solve anything. So in other words if i understand you correct that if I would apply your patch I do not have to fear anymore and i cannot get hacked through the ext.calendar vulnerability any longer? 
Cheers
Leo

[albi]

I dashur Albi,
  can you confirm that using the Calendar version you suggested there are no known security issues?

Të fala (Regards),
Luigi

Pershendetje miku im

No known security issues till now for this calendar

http://extensions.joomla.org/component/ ... Itemid,35/

Regards
dimitri

[PhilTaylor-Prazgod]

Phil,
once again I ask you if your patch which is downloadable from your site solves indefinitely this vulnarability which has been discovered recently? Is it too much asked to give a straight answer to that question which is a fair request? On the bad advise i do concur by the way. the .htaccess remarks are not applicable in this situation and does not solve anything. So in other words if i understand you correct that if I would apply your patch I do not have to fear anymore and i cannot get hacked through the ext.calendar vulnerability any longer?  Smiley
Cheers

Simple answer.  The patch on my blog has been removed in favour of the pending combined developers re-release of ExtCalendar which I have been aware of for some time. The patch that was available on my site was developed inhouse at speed for a particular customer and fixed all file include vunerabilities in that single file. Since that time other SQL injection and string manipulatiuon issues have been found and the patch removed from my site.

I have been in almost daily touch with Martin Brampton (Ex Mambo Core Lead Developer) and he has been working with the team on securing ExtCalendar.  I have offered to promote the official release he and the team of developers will make available soon to my mailing list of over 10,000 Joomla users worldwide (The same list I announced the issues to at the beginning of this week).

[leolam]

Phil,
once again I ask you if your patch which is downloadable from your site solves indefinitely this vulnarability which has been discovered recently? Is it too much asked to give a straight answer to that question which is a fair request? On the bad advise i do concur by the way. the .htaccess remarks are not applicable in this situation and does not solve anything. So in other words if i understand you correct that if I would apply your patch I do not have to fear anymore and i cannot get hacked through the ext.calendar vulnerability any longer?  Smiley
Cheers

Simple answer.  The patch on my blog has been removed in favour of the pending combined developers re-release of ExtCalendar which I have been aware of for some time. The patch that was available on my site was developed inhouse at speed for a particular customer and fixed all file include vunerabilities in that single file. Since that time other SQL injection and string manipulatiuon issues have been found and the patch removed from my site.

I have been in almost daily touch with Martin Brampton (Ex Mambo Core Lead Developer) and he has been working with the team on securing ExtCalendar.  I have offered to promote the official release he and the team of developers will make available soon to my mailing list of over 10,000 Joomla users worldwide (The same list I announced the issues to at the beginning of this week).

Thank you for your reply....that was all i asked for in my initial post. On the remainder i will post in private to the known channels. As usual it was my pleasure 

Cheers
Leo

[RobinH]

Weeeeeeeeeeeeeeeeea hah.... sometimes these forums can be oh so much fun!!! 

This is what I meant in an earlier post about developers not wanting to hear anything bad said about their "babies".  You gotta love developers, they are such lonely people, working hard on their computers all in a world of their making, designing and creating wonderful products for lame butts like me....

Warning to all visitors to these forums - never get a developer angry at you - the have a very long memory, and tons of RAM to store it in!!!

[donaldwheaton]

I have a website that was defaced through the security hole in the ExtCalendar component and previously with RSGallery.  In both defacements, not only did the home page get replaced, but the hacker installed a rootkit.  My other security measures limited the rootkit's usefulness, but standard installations would be compromised and most likely be relays for spam or slaves for a DDOS attack.  If you have been hacked, or even before you have been hacked, and you're running a *NIX system, I would recommend to install and run a rootkit scanner like chkrootkit or rkhunter and a log analysis program like logwatch.  Here are their web site addresses:
http://www.chkrootkit.org/
http://www.rootkit.nl/
http://www.logwatch.org/

[RobinH]

I have a website that was defaced through the security hole in the ExtCalendar component and previously with RSGallery.  In both defacements, not only did the home page get replaced, but the hacker installed a rootkit.  My other security measures limited the rootkit's usefulness, but standard installations would be compromised and most likely be relays for spam or slaves for a DDOS attack.  If you have been hacked, or even before you have been hacked, and you're running a *NIX system, I would recommend to install and run a rootkit scanner like chkrootkit or rkhunter and a log analysis program like logwatch.  Here are their web site addresses:

Please pardon my ignorance (well, why should you?  My wife doesn't). What is a *NIX system???

[PhilTaylor-Prazgod]

I have a website that was defaced through the security hole in the ExtCalendar component and previously with RSGallery.  In both defacements, not only did the home page get replaced, but the hacker installed a rootkit.  My other security measures limited the rootkit's usefulness, but standard installations would be compromised and most likely be relays for spam or slaves for a DDOS attack.  If you have been hacked, or even before you have been hacked, and you're running a *NIX system, I would recommend to install and run a rootkit scanner like chkrootkit or rkhunter and a log analysis program like logwatch.  Here are their web site addresses:
http://www.chkrootkit.org/
http://www.rootkit.nl/
http://www.logwatch.org/

For clarification:
You can only run these tools if you have ssh/telnet access to your server and correct permissions and priviledges to do so.  Most normal web hosting accounts will not have this level of access to the servers operating system and scanning for rootkits should only be done by those with full access and permission to the OS files. (After all if you run a rootkit check and find a problem you need the experience or knowledge to know what to do next :-) )

For the regular Joomla user the use of rootkit scanning would not apply.

A *nix ssystem is one based on UNIX or Linux code (redhat, centos, etc...)

[leolam]

Warning to all visitors to these forums - never get a developer angry at you - the have a very long memory, and tons of RAM to store it in!!!

Hack their memory and remove

// no direct access
defined( '_VALID_MOS' ) or die( 'Restricted access' );

from what they consider to be a brain

cheers
Leo

[RobinH]

For clarification:
You can only run these tools if you have ssh/telnet access to your server and correct permissions and priviledges to do so.  Most normal web hosting accounts will not have this level of access to the servers operating system and scanning for rootkits should only be done by those with full access and permission to the OS files. (After all if you run a rootkit check and find a problem you need the experience or knowledge to know what to do next :-) )

For the regular Joomla user the use of rootkit scanning would not apply.

A *nix ssystem is one based on UNIX or Linux code (redhat, centos, etc...)

Thanks, appreciate the info.  I'm on VPS with full admin authority on the server, running Centos.  Will go investigate that rootkit scanner.

[Buster]

Any news on any re-releases?

[RobinH]

Any news on any re-releases?

Coming soon to a theater near you!!!

[Buster]

That's strange, the last e-mail I got from the developer it was a HE not SHE and his name is David.  Has he had surgery?