[UPGRADE AVAIL.] ExtCalendar Vulnerability

For all Non-Joomla! security issues. ie 3pd Components etc.

Moderator: General Support Moderators

Forum rules
Locked
User avatar
leolam
Joomla! Master
Joomla! Master
Posts: 20243
Joined: Mon Aug 29, 2005 10:17 am
Location: Netherlands/ UK/ S'pore/Jakarta/ North America
Contact:

Re: ExtCalendar

Post by leolam » Tue Jul 18, 2006 9:46 am

emma wrote: just changed file permissions to 000 and it has taken down the whole site...please help me asap.
emma you have a pm from me!
cheers
Leo
Joomla's #1 Professional Services Provider:
#Joomla Professional Support: https://gws-desk.com -
#Joomla Specialized Hosting Solutions: https://gws-host.com -
#Joomla Webmaster Services: gws-webmaster.services

User avatar
leolam
Joomla! Master
Joomla! Master
Posts: 20243
Joined: Mon Aug 29, 2005 10:17 am
Location: Netherlands/ UK/ S'pore/Jakarta/ North America
Contact:

UNINSTALL MODULE LATEST of EXT CALENDAR as well!

Post by leolam » Tue Jul 18, 2006 9:58 am

WARNING
the module mod_extcalendar_latest[/b] is NOT SECURE!

UNINSTALL THIS MODULE IMMEDIATELY!


do not only unpublish but UNINSTALL!

this module misses also "Access is not allowed etc!"

Uninstall and delete the three files!

Leo
Joomla's #1 Professional Services Provider:
#Joomla Professional Support: https://gws-desk.com -
#Joomla Specialized Hosting Solutions: https://gws-host.com -
#Joomla Webmaster Services: gws-webmaster.services

emma
Joomla! Apprentice
Joomla! Apprentice
Posts: 6
Joined: Mon Jul 17, 2006 11:30 am

Re: ExtCalendar

Post by emma » Tue Jul 18, 2006 10:16 am

Thank you and to Leo...

Calendar is now completely off and site is back up....although i am hoping all of the calendar information is backed up...

Can anyone suggest a similar calendar for the site that doesnt have security issues?

Kindest Regards, Emma  ???

gws
Joomla! Virtuoso
Joomla! Virtuoso
Posts: 4173
Joined: Tue Aug 23, 2005 1:56 pm
Location: South coast, UK
Contact:

Re: ExtCalendar

Post by gws » Tue Jul 18, 2006 10:28 am

Hi Emma, there is a lot of work going on to make extcalendar safe, you should see a new version available this week.

User avatar
Elpie
Joomla! Guru
Joomla! Guru
Posts: 903
Joined: Wed Aug 17, 2005 11:26 pm
Contact:

Re: ExtCalendar

Post by Elpie » Tue Jul 18, 2006 11:32 am

Emma, and others, the final work on the ExtCalendar update is in progress as I write. The new version will be out soon and I think you will be very happy with it. A few bugs have been fixed and it is as secure as possible. Just finalising everything now and an announcement will be made as soon as we release it.
For Mambo assistance: http://forum.mambo-foundation.org
Open Source Research & Best Practice: http://osprojects.info

User avatar
mom2nine
Joomla! Intern
Joomla! Intern
Posts: 53
Joined: Tue Aug 30, 2005 8:05 am
Location: Virginia
Contact:

Re: ExtCalendar

Post by mom2nine » Tue Jul 18, 2006 11:49 am

Thanks so much for taking on this project.  Losing that calendar component was a tough thing for many of us because it was such a great add-on and worked so well.

lib99
Joomla! Intern
Joomla! Intern
Posts: 90
Joined: Wed Sep 28, 2005 12:52 am
Location: New York, USA

Re: UNINSTALL MODULE LATEST of EXT CALENDAR as well!

Post by lib99 » Tue Jul 18, 2006 12:46 pm

leolam wrote: WARNING
the module mod_extcalendar_latest[/b] is NOT SECURE!


First, I'd like to offer a big thank you to those who voluntarily stepped up to fix the security issues recently discovered with this extension.  Ironically, I was just going to ask if the related modules are part of the planned security fix release or not (in addition to the component)?  I don't recall reading that as of yet.  Also, just curious...has the extcal download been unpublished from extensions.joomla.org?  I haven't seen it there, and I know I grabbed it last month.  ???

User avatar
Elpie
Joomla! Guru
Joomla! Guru
Posts: 903
Joined: Wed Aug 17, 2005 11:26 pm
Contact:

Re: ExtCalendar

Post by Elpie » Tue Jul 18, 2006 12:53 pm

We have patched the MiniCal module, written a removal tool, and done a whole heap of work on the ExtCalendar component.

As far as I am aware, all extensions that have known vulnerabilities with exploits in the wild have been unpublished from the Extensions site. Where an extension is known to have a problem its not a good idea to leave it there for unsuspecting users to download eh? ;)

Edit: Just thought I would add - just because an extension is listed on the Extensions site does NOT mean it is necessarily safe. Reports of exploits are coming through faster than anyone can keep up, so it is clear that as the hackers work through 3rd party extensions more vulnerabilities will come to light.  A good list of confirmed vulnerabilities is here: http://forum.mamboguru.com/forumdisplay.php?f=63
(It's essentially an announcement list, so you can see at a glance what extensions are known to have problems - and every one of them listed has exploits in the wild).
Last edited by Elpie on Tue Jul 18, 2006 12:57 pm, edited 1 time in total.
For Mambo assistance: http://forum.mambo-foundation.org
Open Source Research & Best Practice: http://osprojects.info

lib99
Joomla! Intern
Joomla! Intern
Posts: 90
Joined: Wed Sep 28, 2005 12:52 am
Location: New York, USA

Re: ExtCalendar

Post by lib99 » Tue Jul 18, 2006 1:02 pm

Yes, I figured as much about unpublishing from the extension downloads, but I'm not familiar enough with Joomla Admin's protocols for these types of scenarios.  Certainly logical and appropriate.  Thanks for the reply, and thank you again to yourself and the others working on this!!

User avatar
torkil
Joomla! Guru
Joomla! Guru
Posts: 726
Joined: Wed Aug 24, 2005 9:34 am
Location: Rørvik, Norway
Contact:

Re: ExtCalendar

Post by torkil » Tue Jul 18, 2006 1:08 pm

On a sidenote and about the MiniCal module: Last time I checked it did DB queries in a loop, like this:
for (each day in month) {
    query for events();
}
This should really be patched to increase it's performance, if that hasn't already been done.

User avatar
Elpie
Joomla! Guru
Joomla! Guru
Posts: 903
Joined: Wed Aug 17, 2005 11:26 pm
Contact:

[UPGRADE AVAIL] ExtCalendar Vulnerability

Post by Elpie » Wed Jul 19, 2006 6:06 am

ExtCalendar Security Release (0.9.2)

This is a security release for ExtCalendar taken from the 0.9.1 drop. This should work on both Joomla! and Mambo.
DO NOT Uninstall the ExtCalendar component unless you have a backup of your data or are willing to lose all your events. The previous ExtCalendar uninstall removes its data tables.

Steps to upgrade:
1.      Backup your site, including your database. Mamboguru.com has detailed instructions for backing up and restoring db with phpMyAdmin at http://wiki.mamboguru.com/index.php?tit ... e_database
2.      Log in as an admin
3.      Install the com_ExtCalendarRemoval-RC1.zip component (this removes ExtCalendar without deleting the data). If it reports any errors, please delete those directories using an FTP client or a file manager.
4.      Uninstall the ExtCalendarRemoval component.
5.      Install the new com_extcalendar_0_9_2_RC4.zip.

Removal Component here: http://mamboguru.com/downloads/ExtCalen ... al-RC1.zip

New ExtCalendar upgrade here: http://mamboguru.com/downloads/ExtCalen ... _2_RC4.zip

Security Update for MiniCal here: http://mamboguru.com/downloads/ExtCalen ... _3_RC2.zip

If you experience any problems with downloading or using this security release, please contact us through the Mambo Guru forums. This update applies to both Mambo and Joomla and we just cannot keep an eye on all the forums individually.
Last edited by Elpie on Wed Jul 19, 2006 6:25 am, edited 1 time in total.
For Mambo assistance: http://forum.mambo-foundation.org
Open Source Research & Best Practice: http://osprojects.info

User avatar
Elpie
Joomla! Guru
Joomla! Guru
Posts: 903
Joined: Wed Aug 17, 2005 11:26 pm
Contact:

Re: [UPGRADE AVAIL.] ExtCalendar Vulnerability

Post by Elpie » Wed Jul 19, 2006 6:22 am

O/T kinda ;)

I just want to say a BIG THANK YOU! to everyone who came forward to test these new releases of ExtCalendar. I also want to publicly thank davidrrm without whom these releases would not have happened, and counterpoint for his contributions.  When I had the bright idea to do this, I had no idea how much work was going to end up going into it. This has been a collaborative effort involving many people from both Joomla and Mambo, for the benefit of the wider communities of users. This security release really shows the power and spirit of open source and I am grateful to all of you who allowed me to talk you into coming on board - thanks.
For Mambo assistance: http://forum.mambo-foundation.org
Open Source Research & Best Practice: http://osprojects.info

User avatar
leolam
Joomla! Master
Joomla! Master
Posts: 20243
Joined: Mon Aug 29, 2005 10:17 am
Location: Netherlands/ UK/ S'pore/Jakarta/ North America
Contact:

Re: [UPGRADE AVAIL.] ExtCalendar Vulnerability

Post by leolam » Wed Jul 19, 2006 6:25 am

I just concur to say a BIG THANK YOU!


just one for the road........status mod_extcalendar_latest;)

cheers ...You are ALL Wonderful people!

Leo
Joomla's #1 Professional Services Provider:
#Joomla Professional Support: https://gws-desk.com -
#Joomla Specialized Hosting Solutions: https://gws-host.com -
#Joomla Webmaster Services: gws-webmaster.services

User avatar
Elpie
Joomla! Guru
Joomla! Guru
Posts: 903
Joined: Wed Aug 17, 2005 11:26 pm
Contact:

Re: [UPGRADE AVAIL.] ExtCalendar Vulnerability

Post by Elpie » Wed Jul 19, 2006 6:34 am

leolam wrote: just one for the road........status mod_extcalendar_latest;)
No, we didn't touch the latestevents module. It requires a major overhaul, far more than a security release. There are some good things planned for the project as a whole so the future may bring what you are looking for.

For now, I recommend that people do not use the module.
For Mambo assistance: http://forum.mambo-foundation.org
Open Source Research & Best Practice: http://osprojects.info

boardmoose
Joomla! Apprentice
Joomla! Apprentice
Posts: 8
Joined: Thu Jul 13, 2006 12:51 pm

Re: [UPGRADE AVAIL.] ExtCalendar Vulnerability

Post by boardmoose » Wed Jul 19, 2006 6:37 am

THANK YOU!!  :)

Ottobufonto
Joomla! Enthusiast
Joomla! Enthusiast
Posts: 118
Joined: Tue Sep 06, 2005 10:53 pm

Re: [UPGRADE AVAIL.] ExtCalendar Vulnerability

Post by Ottobufonto » Wed Jul 19, 2006 8:24 am

Thanks Elpie and all!!!!

any chance for a list of bug fixes? (you mentioned you addressed some)

User avatar
sc00zy
Joomla! Exemplar
Joomla! Exemplar
Posts: 9532
Joined: Thu Aug 18, 2005 9:07 am
Location: Assen, Netherlands
Contact:

Re: [UPGRADE AVAIL.] ExtCalendar Vulnerability

Post by sc00zy » Wed Jul 19, 2006 8:26 am

Thanks everybody! :D
Arjan Menger
https://welldotcom.nl - Puntgaaf Internetbureau

LeonZ
Joomla! Apprentice
Joomla! Apprentice
Posts: 9
Joined: Thu Aug 18, 2005 12:30 pm

Re: [UPGRADE AVAIL.] ExtCalendar Vulnerability

Post by LeonZ » Wed Jul 19, 2006 9:29 am

Thanks for the hard work.  :D
Little problem, dutch language file included doesn't work at all. Attached a working version for dutch.
You do not have the required permissions to view the files attached to this post.

LeonZ
Joomla! Apprentice
Joomla! Apprentice
Posts: 9
Joined: Thu Aug 18, 2005 12:30 pm

Re: [UPGRADE AVAIL.] ExtCalendar Vulnerability

Post by LeonZ » Wed Jul 19, 2006 10:20 am

Hi all,

I just stumbled into another problem. I am using the minical-module on the frontpage. When I click on a date in the minical the page which comes up tells me I don't have rights to view and have to login first.

On the other hand, when I click the menu-item for my calendar and the calendar is showing I can click in the minical without getting the notice. In other words minical works when viewing the calendar but without the calendar it is not.

URL = whiskypassion
Last edited by LeonZ on Wed Jul 19, 2006 10:30 am, edited 1 time in total.

charlie
Joomla! Apprentice
Joomla! Apprentice
Posts: 8
Joined: Sun Sep 18, 2005 7:43 am

Re: [UPGRADE AVAIL.] ExtCalendar Vulnerability

Post by charlie » Wed Jul 19, 2006 10:24 am

Huge thank you to all involved with this upgraded version. Thanks for the hard work.

Charles (Johannesburg, South Africa).

User avatar
Elpie
Joomla! Guru
Joomla! Guru
Posts: 903
Joined: Wed Aug 17, 2005 11:26 pm
Contact:

Re: [UPGRADE AVAIL.] ExtCalendar Vulnerability

Post by Elpie » Wed Jul 19, 2006 11:35 am

LeonZ wrote: Thanks for the hard work.  :D
Little problem, dutch language file included doesn't work at all. Attached a working version for dutch.
Thanks LeonZ. We will add this at the first opportunity.
For Mambo assistance: http://forum.mambo-foundation.org
Open Source Research & Best Practice: http://osprojects.info

User avatar
RobinH
Joomla! Enthusiast
Joomla! Enthusiast
Posts: 177
Joined: Mon Sep 19, 2005 6:29 pm
Location: Lake Norman, North Carolina, USA

Re: [UPGRADE AVAIL.] ExtCalendar Vulnerability

Post by RobinH » Wed Jul 19, 2006 1:07 pm

LeonZ wrote: Hi all,

I just stumbled into another problem. I am using the minical-module on the frontpage. When I click on a date in the minical the page which comes up tells me I don't have rights to view and have to login first.

On the other hand, when I click the menu-item for my calendar and the calendar is showing I can click in the minical without getting the notice. In other words minical works when viewing the calendar but without the calendar it is not.

URL = whiskypassion
Hey Elpie, I'm an idiot, all my testing was done logged in, should have caught that.  Guess we need to pass that on to David.  Next testing I'll add in steps for registered, guest, and special groups to insure all functionality....my bad....

davidrrm
Joomla! Explorer
Joomla! Explorer
Posts: 251
Joined: Mon Sep 05, 2005 3:50 pm

Re: [UPGRADE AVAIL.] ExtCalendar Vulnerability

Post by davidrrm » Wed Jul 19, 2006 1:31 pm

LeonZ wrote: Hi all,

I just stumbled into another problem. I am using the minical-module on the frontpage. When I click on a date in the minical the page which comes up tells me I don't have rights to view and have to login first.

On the other hand, when I click the menu-item for my calendar and the calendar is showing I can click in the minical without getting the notice. In other words minical works when viewing the calendar but without the calendar it is not.

URL = whiskypassion
I believe you have com_extcalendar published in two differnent menu items (perhaps on different menus). One with public access and one with Registered or Special access. The access rights are completely controlled by Joomla. When you click on the mini_cal on the front page, it does not have an Itemid for a menu item, so Joomla has to look through your menus to "guess" what access should be given. When you click on the menu item, it knows which Itemid to use, and can assign the right access permissions.
I tested this on your site by adding &Itemid=43 (the item id for your calendar menu item) to the URL for the mini_cal from the front page and was able to jump to the event.

david

User avatar
wuslon
Joomla! Fledgling
Joomla! Fledgling
Posts: 1
Joined: Sat Jul 15, 2006 8:27 am

Re: [UPGRADE AVAIL.] ExtCalendar Vulnerability

Post by wuslon » Wed Jul 19, 2006 1:39 pm

what a great job.

thank you so much!


the upgrade worked with no problems. (sorry, about my very bad written english please!)

one question: whats about the  Search ExtCal Calendar 1.1 mambot? is this mambot secure ore it`s better to uninstall like the mod_extcalendar_latest?


wuslon

emma
Joomla! Apprentice
Joomla! Apprentice
Posts: 6
Joined: Mon Jul 17, 2006 11:30 am

Re: [UPGRADE AVAIL.] ExtCalendar Vulnerability

Post by emma » Wed Jul 19, 2006 1:41 pm

Thanks Everyone for your help yesterday - you were fantastic.

Kindest Rgds, Emma  :D

User avatar
RobinH
Joomla! Enthusiast
Joomla! Enthusiast
Posts: 177
Joined: Mon Sep 19, 2005 6:29 pm
Location: Lake Norman, North Carolina, USA

Re: [UPGRADE AVAIL.] ExtCalendar Vulnerability

Post by RobinH » Wed Jul 19, 2006 2:21 pm

David, I just ran through it on my test site as Guest, and you are correct.  I have the calendar set for public and had no problems accessing it. I tried to emulate the problem he's listed above but have been unable.

I tried changing the component to "registered" required for new entry or edit, and the calendar displays fine and acts appropriately in that only registered can enter new events.  I changed the module to "registered" and it does not display to the public.  So I've tried mixing it up with one being public and the other registered but couldn't get that fault.

Is it possible he's running mod_latest??

EDIT - David, you're right.  I added in a menu item for calendar and marked registered, so now I have one menu item public, the other registered.  When I click on the minical, I get the error he has listed above.
Last edited by RobinH on Wed Jul 19, 2006 2:29 pm, edited 1 time in total.

p3rti
Joomla! Fledgling
Joomla! Fledgling
Posts: 1
Joined: Wed Jul 19, 2006 2:15 pm

Re: [UPGRADE AVAIL.] ExtCalendar Vulnerability

Post by p3rti » Wed Jul 19, 2006 2:24 pm

Hi.

First i want to say. THANK YOU That what i love the free software (Free of Freedom), right now, i want to test this component with the module minical of extcalendar. i installed the last version  ;) and when i logged with admin on the front end and when i put an event like admin it say that wait to the admin admit, i receive a email from the software with the description and a link, and when i click on the link (and i logged with admin account) it say "Your user level is merely Anonymous Guest, and it must be at least Administrator." and its very wear. i dont see any button that say edit or sometime like that, i want to know if i have to make a hack to the code or sometime like that.

thanks a lot. this make feel all around the free software so happy!!

:D

User avatar
RobinH
Joomla! Enthusiast
Joomla! Enthusiast
Posts: 177
Joined: Mon Sep 19, 2005 6:29 pm
Location: Lake Norman, North Carolina, USA

Re: [UPGRADE AVAIL.] ExtCalendar Vulnerability

Post by RobinH » Wed Jul 19, 2006 2:32 pm

p3rti wrote: Hi.

First i want to say. THANK YOU That what i love the free software (Free of Freedom), right now, i want to test this component with the module minical of extcalendar. i installed the last version  ;) and when i logged with admin on the front end and when i put an event like admin it say that wait to the admin admit, i receive a email from the software with the description and a link, and when i click on the link (and i logged with admin account) it say "Your user level is merely Anonymous Guest, and it must be at least Administrator." and its very wear. i dont see any button that say edit or sometime like that, i want to know if i have to make a hack to the code or sometime like that.

thanks a lot. this make feel all around the free software so happy!!

:D
Log out and log back in, assuming your user level is Admin.  The click on the minical, you should have displayed the calendar and near the top an box for events to approve.  Shouldn't require any hack.  If you notice the link in the email states that you must be logged in with administrative authority to approve.  Most of the time that link takes you in as Guest, so you have to log in to do the approval.  Try that and see if it works.

metatech
Joomla! Apprentice
Joomla! Apprentice
Posts: 8
Joined: Wed Apr 05, 2006 11:42 am

Re: [UPGRADE AVAIL] ExtCalendar Vulnerability

Post by metatech » Wed Jul 19, 2006 2:41 pm

Thank you so very much for this contribution. You've saved my bacon! :D
Elpie wrote: ExtCalendar Security Release (0.9.2)

User avatar
RobinH
Joomla! Enthusiast
Joomla! Enthusiast
Posts: 177
Joined: Mon Sep 19, 2005 6:29 pm
Location: Lake Norman, North Carolina, USA

Re: [UPGRADE AVAIL.] ExtCalendar Vulnerability

Post by RobinH » Wed Jul 19, 2006 3:00 pm

LeonZ wrote: Hi all,

I just stumbled into another problem. I am using the minical-module on the frontpage. When I click on a date in the minical the page which comes up tells me I don't have rights to view and have to login first.

On the other hand, when I click the menu-item for my calendar and the calendar is showing I can click in the minical without getting the notice. In other words minical works when viewing the calendar but without the calendar it is not.

URL = whiskypassion
Whew!  Leon, I was able to emulate this problem, then couldn't get rid of it!!!  Thanks to David for saving my bacon.  Here's what I had, and you see if you can follow this logic (it might be illogic . . lol) and maybe be able to come to a conclusion on your issue.

First, after proofing extcal and minical, I added a menu item for a component under usermenu for Calendar.  I first had that as a public function, and my minical and this usercal both worked fine.  Then I made the usercal a registered access item, and blammo... I get the error you indicated above.  So, thinks I, I'll delete that menu item and all will be well... NOT... I deleted it, but didn't reset it to public first.  I kept getting this error even though it was deleted.  So i uninstalled and reinstalled both the component and the module. Was near to pulling out my hair when David chimed in with his valuable comment:  "Did you empty your trash?".... NO WAY, it can't be that easy???

Well, went back into admin, home, trash, menu items, and deleted them (of which there were several) and now all is good.  Egads I'm glad David's around!!!!!!

Hope this works for you!

Message from your old Uncle Robin - remember boys and girls, to empty your trash when you're through!!!
Last edited by RobinH on Wed Jul 19, 2006 3:04 pm, edited 1 time in total.


Locked

Return to “3rd Party/Non Joomla! Security Issues”