Joomla! Discussion Forums

Thats great news Elpie

Great news indeed.. thank you for your efforts guys... its muchly appreciated.

Client of mine also hacked...nothing wrong with configuration.php but the index.php was replaced......
waiting for the patch.....
cheers
Leo

Testing is well underway Leo - hope to have it available for you soon.

need testing and hack-attempt assistance?
cheers
Leo

Ditto here.  I'm on a VPS and haven't had any hack attempts since moving to it, but would be willing to do testing with you.

I dashur Albi,
  can you confirm that using the Calendar version you suggested there are no known security issues?

Të fala (Regards),
Luigi

Thanks for this.

Even if it still are a "beta" and in testing mode, is it possible to have "hands on it" and start implement ExCalendar again.

Is it anybody that also will start to develop this component futher??

/Sven

We are not releasing it until it has been thoroughly tested.  The reason for this is that we need to be certain that it works as intended without causing problems. When we looked into the code we found that there was a lot more to do to fix security issues than just preventing direct access and we had to write the update so it would install the new version and completely remove the old one.

Do NOT uninstall the ExtCalendar you have now, through the Joomla backend admin, unless you have a backup or are prepared to lose all your events. The current version deletes all its data tables when it is uninstalled.

And, don't worry, ExtCalendar is not an orphan project any more. We will be looking after it

Misleading advice.

Possibly reword like this:

"Do not use the Joomla Uninstall method in Joomla ADmin for uninstalling extCalendar right now as the would remove your events and they would be lost for ever - HOWEVER YOU MUST remove manually using FTP or SSH the /components/com_extcalandar/ folder and all files below in order to prevent your site getting hacked."


:-)~ :-)

Agreed, I missed a couple of words   Fixed that now.
All going well, the release should only be a matter of hours away.

Actually I don't think that removing the component, regardless of the method used, is a 'must'.  If your site is secure, and in my case on your own server, the odds of a hacking event are somewhat mitigated.

I don't think we should state that just because there's an issue, users should remove the product.  And how long will we have to wait for the fix?  I doubt we have to wait much longer, as these guys seem to really have pride in their product and my feel is they'll be providing us a very good solution in very little time. 

I just would hate to "stampede the cattle" by shouting 'fire, fire, fire' when some of us may be at risk, but not been hacked, but the hack-proof solution is soon to come.  Most of us get that knee-jerk reaction when we start hearing about these hacker events, but there are enough suggestions floating around to where I believe one could secure their site well enough until the solution is provided.

Anyway, that's my thought on this.  I'm waiting patiently for that update myself, as I feel that this product is now an integral part of my site and I definitely don't want to lose it.

Exactly how many Joomla Users have that though???? And even if they do - do they have the knowledge to make a server secure - probably not.

Try telling that the the people that got hacked - to the 50+ people that have employed my company to fix their sites after the hackers.... Some of which were dedicated servers!

I'm not yelling fire fire fire - Im being real and serious about a real and expanding threat to hacking of 3PD

Incorrect wording and confusing for newbies and people who do not have YOUR knowledge!

Please realise that we (more experienced people) are here to help and protect the users of this fantastic Joomla-product and that we are not in this to play games and use the situation to promote!

Most likely rewording so people with less KB understand this as well!:

"Do NOT uninstall the ExtCalendar you have now, through the Joomla backend admin, because you will loose all your events.  The current version deletes all its data tables where the events are stored when it is uninstalled through the uninstaller of the admin backend." If you want to maintain your events which are stored in the database-tables while waiting for the new EXT Calendar patch you should strongly consider to remove manually (using FTP or your cPanel-filemanager or equivalent panel) the /components/com_extcalandar/ folder and all files below. This will secure for now your system from being hacked through this component and keeps your events in the database for future use when the new files and folders are available whch will be soon."

next@ Phil...You promote on your website a hack for download solving this issue... Your rewording above is though contradiction to the "patch" on your site since it advises to remove the folders instead of applying the patch as you promote on your site? Can you please clarify this to avoid misunderstanding?


I am simply asking how your rewording from above fits this message. The people who are currently working on this new patch are addressing serious sql-issues and others related to EXT Calendar as well.....Could you shine your light on this as well because it seems that a little bit more is present than you have addressed in your patch if i understand this correct? Please advise becasue i would love to know if i can use your patch you have installed with your 50 or so users or should i uninstall as you suggest in your rewording? Is your patch safe and does it solves the issue?

thanks
Cheers
Leo

may i object to this flame and abuse? I ask you a very descent question, one which is not flaming and one which is very fair question? I asked you if your thread was solving the issue and i made a clarification on the remark. What is wrong with asking if your solution solves it? OPlease advise  why you need to be aggresive and abusive?




thanks you for that...I could reply very easy with a remark that i read somewhere that you just helped 50 of your customers but i won't becasue i just asked a descent question on which i have not yet got an answer. Does your patch solves the issue was the question? If so I am happy and we will apply ity to the customer's site!!

Please note that i do not understand your aggression and or your frustration. I even posted a thank you message on your blog at http://blog.phil-taylor.com for sharing your solution with us...I read now that we have other developments (Elpie's posts) and possible other hacks or releases and i ask a question......the answer is insults? May I be displeased with that approach?

Cheers
Leo

Actually they were not customers of mine  - but they are now cause they knew where to turn when they were let down by other so called "more experienced"

The fact is, and this thread proves, that there is a lot of people thinking they are qualified to give advice.  Even bad advice. 

Your posts have done nothing for this thread.

I conclude (on topic)

If you have files extcalendar.php, file_upload.php, image_upload.php (or perForms) on your site then you are liable to be hacked if have not taken action to remove, patch, or protect yourself agains a string of automated, self replicating attacks.  You are also vunerable if you have taken action based on some incorrect advice (like modifing htaccess files I read somewhere)

You have been warned.

completely agree without doubt!

which is without doubt an excellent advise! but:

Phil,
once again I ask you if your patch which is downloadable from your site solves indefinitely this vulnarability which has been discovered recently? Is it too much asked to give a straight answer to that question which is a fair request? On the bad advise i do concur by the way. the .htaccess remarks are not applicable in this situation and does not solve anything. So in other words if i understand you correct that if I would apply your patch I do not have to fear anymore and i cannot get hacked through the ext.calendar vulnerability any longer? 
Cheers
Leo

Pershendetje miku im

No known security issues till now for this calendar

http://extensions.joomla.org/component/ ... Itemid,35/

Regards
dimitri

Simple answer.  The patch on my blog has been removed in favour of the pending combined developers re-release of ExtCalendar which I have been aware of for some time. The patch that was available on my site was developed inhouse at speed for a particular customer and fixed all file include vunerabilities in that single file. Since that time other SQL injection and string manipulatiuon issues have been found and the patch removed from my site.

I have been in almost daily touch with Martin Brampton (Ex Mambo Core Lead Developer) and he has been working with the team on securing ExtCalendar.  I have offered to promote the official release he and the team of developers will make available soon to my mailing list of over 10,000 Joomla users worldwide (The same list I announced the issues to at the beginning of this week).

Thank you for your reply....that was all i asked for in my initial post. On the remainder i will post in private to the known channels. As usual it was my pleasure 

Cheers
Leo

Weeeeeeeeeeeeeeeeea hah.... sometimes these forums can be oh so much fun!!! 

This is what I meant in an earlier post about developers not wanting to hear anything bad said about their "babies".  You gotta love developers, they are such lonely people, working hard on their computers all in a world of their making, designing and creating wonderful products for lame butts like me....

Warning to all visitors to these forums - never get a developer angry at you - the have a very long memory, and tons of RAM to store it in!!!

I have a website that was defaced through the security hole in the ExtCalendar component and previously with RSGallery.  In both defacements, not only did the home page get replaced, but the hacker installed a rootkit.  My other security measures limited the rootkit's usefulness, but standard installations would be compromised and most likely be relays for spam or slaves for a DDOS attack.  If you have been hacked, or even before you have been hacked, and you're running a *NIX system, I would recommend to install and run a rootkit scanner like chkrootkit or rkhunter and a log analysis program like logwatch.  Here are their web site addresses:
http://www.chkrootkit.org/
http://www.rootkit.nl/
http://www.logwatch.org/

Please pardon my ignorance (well, why should you?  My wife doesn't). What is a *NIX system???

For clarification:
You can only run these tools if you have ssh/telnet access to your server and correct permissions and priviledges to do so.  Most normal web hosting accounts will not have this level of access to the servers operating system and scanning for rootkits should only be done by those with full access and permission to the OS files. (After all if you run a rootkit check and find a problem you need the experience or knowledge to know what to do next :-) )

For the regular Joomla user the use of rootkit scanning would not apply.

A *nix ssystem is one based on UNIX or Linux code (redhat, centos, etc...)

Hack their memory and remove from what they consider to be a brain

cheers
Leo

Thanks, appreciate the info.  I'm on VPS with full admin authority on the server, running Centos.  Will go investigate that rootkit scanner.

Any news on any re-releases?

Coming soon to a theater near you!!!

That's strange, the last e-mail I got from the developer it was a HE not SHE and his name is David.  Has he had surgery?