[UPGRADE AVAIL.] ExtCalendar Vulnerability

For all Non-Joomla! security issues. ie 3pd Components etc.

Moderator: General Support Moderators

Forum rules
Locked
LeonZ
Joomla! Apprentice
Joomla! Apprentice
Posts: 9
Joined: Thu Aug 18, 2005 12:30 pm

Re: [UPGRADE AVAIL.] ExtCalendar Vulnerability

Post by LeonZ » Wed Jul 19, 2006 3:06 pm

davidrrm wrote:
LeonZ wrote: Hi all,

I just stumbled into another problem. I am using the minical-module on the frontpage. When I click on a date in the minical the page which comes up tells me I don't have rights to view and have to login first.

On the other hand, when I click the menu-item for my calendar and the calendar is showing I can click in the minical without getting the notice. In other words minical works when viewing the calendar but without the calendar it is not.

URL = whiskypassion
I believe you have com_extcalendar published in two differnent menu items (perhaps on different menus). One with public access and one with Registered or Special access. The access rights are completely controlled by Joomla. When you click on the mini_cal on the front page, it does not have an Itemid for a menu item, so Joomla has to look through your menus to "guess" what access should be given. When you click on the menu item, it knows which Itemid to use, and can assign the right access permissions.
I tested this on your site by adding &Itemid=43 (the item id for your calendar menu item) to the URL for the mini_cal from the front page and was able to jump to the event.

david
David,
Thanks for helping me on the right track. I had the former menu item for the calendar in my trash and that one was for specials only.......

Glad everything works again.
Thanks all

LeonZ
Joomla! Apprentice
Joomla! Apprentice
Posts: 9
Joined: Thu Aug 18, 2005 12:30 pm

Re: [UPGRADE AVAIL.] ExtCalendar Vulnerability

Post by LeonZ » Wed Jul 19, 2006 3:33 pm

@RobinH

Thanks for your PM.  ;D Look at the times we posted. We found out the trash at the same time. I remember I had this thing once more but that was some time ago....so was out of my system.. :-[

User avatar
RobinH
Joomla! Enthusiast
Joomla! Enthusiast
Posts: 177
Joined: Mon Sep 19, 2005 6:29 pm
Location: Lake Norman, North Carolina, USA

Re: [UPGRADE AVAIL.] ExtCalendar Vulnerability

Post by RobinH » Wed Jul 19, 2006 3:48 pm

@LeonZ

Gracias amigo!!!¡¡¡  I totally spaced that, told David I felt like a total loser...lol... anyway, glad they're both up and running. Mine luckily is just on a test server and is not my "real" Joomla page. I do everything on the test server first, so that if I lose my brain, or it turns into gristle, I don't mess up my real site.....

Anyway, great forums here for this kind of info.  Also, ignore my post over at MamboGuru, it's the same as here....

Floranett
Joomla! Enthusiast
Joomla! Enthusiast
Posts: 160
Joined: Sun Mar 12, 2006 7:11 pm

Re: [UPGRADE AVAIL.] ExtCalendar Vulnerability

Post by Floranett » Wed Jul 19, 2006 4:22 pm

Thanks alot to the guys for this great work to make this security fix possible  :D

Ottobufonto
Joomla! Enthusiast
Joomla! Enthusiast
Posts: 118
Joined: Tue Sep 06, 2005 10:53 pm

Re: [UPGRADE AVAIL.] ExtCalendar Vulnerability

Post by Ottobufonto » Wed Jul 19, 2006 4:44 pm

Guys,
just switched on debug while merging some of my venue mods...

I get an awful lot of Undefined variable: recur_nextStartStamp in lib/event.inc.php
and Undefined index: events in default/theme.php that I hadn't seen before...

Edit: just to clarify - those where not variables I added...
edit2: forget it - just figured out that those are all old and known... never mind... I guess I forgot that I had them in the past...

Otto
Last edited by Ottobufonto on Wed Jul 19, 2006 5:16 pm, edited 1 time in total.

User avatar
svenl
Joomla! Ace
Joomla! Ace
Posts: 1032
Joined: Mon Oct 17, 2005 1:50 pm
Location: Närke, Sweden
Contact:

Re: [UPGRADE AVAIL.] ExtCalendar Vulnerability

Post by svenl » Wed Jul 19, 2006 7:59 pm

THANKS !!!

The upgrade of this Component and the MiniCal module seems to worked fine for me.

The only thing about "data" was that all my daily pictures disappeared  :(
But I have an zip-file with most of them in one computer at the office (upload tomorrow).

/Sven
8)
-
Sanningen finns där ute, har du sökt efter ditt svar?
var svaret bra och löste ditt problem? Glöm då inte att ändra ditt första inlägg till löst (Solved)

User avatar
muni
Joomla! Apprentice
Joomla! Apprentice
Posts: 11
Joined: Fri Sep 02, 2005 7:45 am
Location: Luxembourg

Re: [UPGRADE AVAIL.] ExtCalendar Vulnerability

Post by muni » Wed Jul 19, 2006 8:14 pm

Thanks, you saved this little wonderfull component.

Slack
Joomla! Apprentice
Joomla! Apprentice
Posts: 7
Joined: Wed Sep 21, 2005 7:09 pm

Re: [UPGRADE AVAIL.] ExtCalendar Vulnerability

Post by Slack » Wed Jul 19, 2006 9:45 pm

Thanks for updating and securing this compnent!

I successfully upgraded a test site, however I am getting an error on my live site (which has abut 500 calendar entries).  Both the ExtCalendar component and the Mini-calendar module seem to install properly.  However, when I publish the Mini-calendar I get this error:

Fatal error: Cannot access empty property in /home/weenie/public_html/mambo/components/com_extcalendar/lib/event.inc.php on line 241

Here is a code snippet for line 241:

Code: Select all

} else {

				$this->endDate = strtotime($row['end_date']);

			}  <=This is line 241! 
Any ideas?

Thanks!

deleted user

Re: [UPGRADE AVAIL.] ExtCalendar Vulnerability

Post by deleted user » Thu Jul 20, 2006 12:21 am

I'm having the same problem as Slack. This is the offending line:
if ($this->$recur_nextStartStamp) $target_stamp = $recur_nextStartStamp;
I dimly recall something similar with the old extcal. It had to do with the recurrent events function. Back then I found a fiix (in the mambo forum I think...) -- I'll look into it.

Anyway, I did have some existing extCal entries. The new component and mod installed fine (though it added a new, second "General" Category)

After the uninstall/new install I uninstalled the extcal latest events mod. I deleted my old Calendar menu link and emptied the trash.

Do I need to kill the old ExtCal search mambot as well?

Thanks a lot those of you who exposed the secuity risk and are working on the new version.

FYI, here are some bugs and oversights with the old extCal I;ve recorded:

1) recurrent events function required a patch/code change to make the recurrent events function work right. It is still too limited--needs to allow events that recur on a specific day of the week. That is how most recurrent events work.
2) user submitted events do not identify the author. Integration with profiles, or Community BUilder would be excellent.
3) if your template uses mosPathway, it does odd things (though not just with extcal). click one of the view options (like "monthy view" in extcal) or "upcoming events" from the old latest events mod, and mosPathway tells me I am located at "News->Submit News->Guidelines" or "Submit Events" on my site. (http://www.riverwestneighborhood.org) Also my "Submit News" (JASubmit com) menu item will expand as if you clicked it to reveal the submenu item it has, which is (on my site) a "Submission Guidelines" link.
Last edited by deleted user on Thu Jul 20, 2006 12:49 am, edited 1 time in total.

klaatu
Joomla! Fledgling
Joomla! Fledgling
Posts: 1
Joined: Sun May 21, 2006 6:39 pm

Re: [UPGRADE AVAIL.] ExtCalendar Vulnerability

Post by klaatu » Thu Jul 20, 2006 12:23 am

Is it normal to have a directory called "upload" with full privileges under /admin/components/com_exctcalendar ?  I can't seem to either change permissions of this directory or delete it.

deleted user

Re: [UPGRADE AVAIL.] ExtCalendar Vulnerability

Post by deleted user » Thu Jul 20, 2006 12:47 am

Looks like here is some relevant disccusion I haven't seen before of the fatal error problem in the old extcal, and the solution is a little suspect:
http://forum.joomla.org/index.php/topic,42828.0.html

And I see to recall finding help here:
http://mamboxchange.com/tracker/index.p ... =&start=25

Is this the best way to go--just comment out the problematic line? It does work, or seems to.
Last edited by deleted user on Thu Jul 20, 2006 12:55 am, edited 1 time in total.

deleted user

Re: [UPGRADE AVAIL.] ExtCalendar Vulnerability

Post by deleted user » Thu Jul 20, 2006 12:57 am

FYI, as with the old minical, some users may have problems with it on their template, especially in IE browsers.

For those (like me) who are not HTML/CSS masters, go into the minical mod file and modify the numeric width settings to suit your needs. (I just change them all to 100%.) Most are set to 135 (pixels) except the "add event" bar, which is 139 for some reason. No matter what pixel width you make it, on IE6 the "add event" bar kicks out further to the right than the rest of the calendar.

Note there is also a good darker theme for mincal from gtek:
http://www.gotgtek.com/cms/downloads/cat_view-211.html
Last edited by deleted user on Thu Jul 20, 2006 1:16 am, edited 1 time in total.

User avatar
Elpie
Joomla! Guru
Joomla! Guru
Posts: 903
Joined: Wed Aug 17, 2005 11:26 pm
Contact:

Re: [UPGRADE AVAIL.] ExtCalendar Vulnerability

Post by Elpie » Thu Jul 20, 2006 1:48 am

Just remember that the new version is a security release. Although we found some bugs which we fixed, we did not try to fix all the bugs (if we had, people would still be waiting for the release) so some of the issues that arose with the original ExtCal and module will still be there. They are annoyances though, not security issues ;) 
ExtCalendar will be actively developed now so those issues are likely to be addressed in future.
Hope this helps.
For Mambo assistance: http://forum.mambo-foundation.org
Open Source Research & Best Practice: http://osprojects.info

User avatar
pateta12
Joomla! Intern
Joomla! Intern
Posts: 80
Joined: Sun Oct 30, 2005 3:26 am

Re: [UPGRADE AVAIL.] ExtCalendar Vulnerability

Post by pateta12 » Thu Jul 20, 2006 3:43 am

Elpie wrote: Just remember that the new version is a security release. Although we found some bugs which we fixed, we did not try to fix all the bugs (if we had, people would still be waiting for the release) so some of the issues that arose with the original ExtCal and module will still be there. They are annoyances though, not security issues ;) 
ExtCalendar will be actively developed now so those issues are likely to be addressed in future.
Hope this helps.
Thanks for doing everything that you are doing.

Is there anyway to have this release in the forge.
I am pretty sure that there is a lot of people that might not be even aware of the different security issues with 3rd party components (I was one of those).  If you have this in the forge then people will be "safer" even if they didn't even realize what was going on.


Thanks again...

technopuzzle
Joomla! Ace
Joomla! Ace
Posts: 1958
Joined: Thu Aug 18, 2005 5:53 pm
Location: Washington D.C. & Baltimore, MD Metro
Contact:

Re: UNINSTALL MODULE LATEST of EXT CALENDAR as well!

Post by technopuzzle » Thu Jul 20, 2006 3:47 am

I want to give a big KUDOS to all those that worked on this security update. Great job!

I also wanted to mention that in the original Latest Events module there was some type of hack needed so that you could display /  clone / use multiple copies of this module at the same time. I don't really remember what the hack was (because it was soooo looooong ago). But just wanted to give the developers a little nudge nudge wink wink about this - so that this type of functionality could be built into the revised version.
lib99 wrote:
leolam wrote: WARNING
the module mod_extcalendar_latest[/b] is NOT SECURE!


First, I'd like to offer a big thank you to those who voluntarily stepped up to fix the security issues recently discovered with this extension.  Ironically, I was just going to ask if the related modules are part of the planned security fix release or not (in addition to the component)?  I don't recall reading that as of yet.  Also, just curious...has the extcal download been unpublished from extensions.joomla.org?  I haven't seen it there, and I know I grabbed it last month.  ???


--Roger
Thanks,
Roger Raymond
Techno Puzzle

Ottobufonto
Joomla! Enthusiast
Joomla! Enthusiast
Posts: 118
Joined: Tue Sep 06, 2005 10:53 pm

Re: [UPGRADE AVAIL.] ExtCalendar Vulnerability

Post by Ottobufonto » Thu Jul 20, 2006 8:56 am

Hi unixboymd,
that was my patch... It was put on the forge as the baseline version for the lastest_event_mod.

Just install the version from the forge, use the copy function in the module manager - rename it, enable "limit Events to selected cats" and select which cats you want to see in either module.

there is an extra patch on the forge that changes one line for recurring events in case you want to limit the number of days you want to look ahead. (if you use it - make sure to replace the correct line)

NOTE: This version has NOT been bullet proofed by Elpie and the team !!!!!!

otto
Last edited by Ottobufonto on Thu Jul 20, 2006 8:59 am, edited 1 time in total.

User avatar
nathandiehl
Joomla! Champion
Joomla! Champion
Posts: 6044
Joined: Fri Aug 19, 2005 3:03 pm
Location: Indiana, USA
Contact:

Re: [UPGRADE AVAIL.] ExtCalendar Vulnerability

Post by nathandiehl » Thu Jul 20, 2006 2:18 pm

can i suggest that this new version be submitted to the extensions site?
If you're new to Joomla, Please read Anna's Joomla! Tips: http://forum.joomla.org/viewtopic.php?t=5503

http://nathandiehl.com | Find out what makes me tick

User avatar
WebJIVE
Joomla! Explorer
Joomla! Explorer
Posts: 356
Joined: Thu Sep 15, 2005 6:04 pm
Location: Little Rock, Arkansas
Contact:

Re: [UPGRADE AVAIL] ExtCalendar Vulnerability

Post by WebJIVE » Thu Jul 20, 2006 5:05 pm

Elpie wrote: ExtCalendar Security Release (0.9.2)

This is a security release for ExtCalendar taken from the 0.9.1 drop. This should work on both Joomla! and Mambo.
DO NOT Uninstall the ExtCalendar component unless you have a backup of your data or are willing to lose all your events. The previous ExtCalendar uninstall removes its data tables.

Steps to upgrade:
1.      Backup your site, including your database. Mamboguru.com has detailed instructions for backing up and restoring db with phpMyAdmin at http://wiki.mamboguru.com/index.php?tit ... e_database
2.      Log in as an admin
3.      Install the com_ExtCalendarRemoval-RC1.zip component (this removes ExtCalendar without deleting the data). If it reports any errors, please delete those directories using an FTP client or a file manager.
4.      Uninstall the ExtCalendarRemoval component.
5.      Install the new com_extcalendar_0_9_2_RC4.zip.

Removal Component here: http://mamboguru.com/downloads/ExtCalen ... al-RC1.zip

New ExtCalendar upgrade here: http://mamboguru.com/downloads/ExtCalen ... _2_RC4.zip

Security Update for MiniCal here: http://mamboguru.com/downloads/ExtCalen ... _3_RC2.zip

If you experience any problems with downloading or using this security release, please contact us through the Mambo Guru forums. This update applies to both Mambo and Joomla and we just cannot keep an eye on all the forums individually.
Hmm.. All the extcalremoval does for me is download a copy in index2.php to my local machine.  I thought I had permissions cranked down to hard but other components installed fine.  Any ideas?
Web Design, Hosting, Flash Development, Graphics & Logo Design
"The Web Made Easy"
http://www.web-jive.com

lucke13b
Joomla! Apprentice
Joomla! Apprentice
Posts: 10
Joined: Tue Feb 28, 2006 4:39 am
Location: Milwaukee, WI

Re: [UPGRADE AVAIL.] ExtCalendar Vulnerability

Post by lucke13b » Fri Jul 21, 2006 12:55 am

Just wanted to say THANK YOU VERY MUCH to all the developers that worked on this!  I have been monitoring this post ever since Phil Taylor announced the issue in his mailer (which I appreciated--thank you Phil!)  The upgrade could not have been any easier to perform.  Amazing team work from an amazing community!  You have all helped me help hurricane Katrina volunteers keep the schedule rolling (http://www.olgv.org/)!  Thanks again!

Sincerely,

Billy (Milwaukee, WI)

User avatar
Elpie
Joomla! Guru
Joomla! Guru
Posts: 903
Joined: Wed Aug 17, 2005 11:26 pm
Contact:

Re: [UPGRADE AVAIL.] ExtCalendar Vulnerability

Post by Elpie » Fri Jul 21, 2006 1:21 am

lucke13b wrote: You have all helped me help hurricane Katrina volunteers keep the schedule rolling (http://www.olgv.org/)!  Thanks again!
Life is full of coincidences and your post has made me very happy Billy. I don't want to take this thread off-topic, but of the things I do, apart from OS and other work, you might care to look at my "baby" (an opportunity for some collaboration maybe?) http://disastersearch.org). It's not using ExtCalendar though! LOL
For Mambo assistance: http://forum.mambo-foundation.org
Open Source Research & Best Practice: http://osprojects.info

User avatar
Elpie
Joomla! Guru
Joomla! Guru
Posts: 903
Joined: Wed Aug 17, 2005 11:26 pm
Contact:

Re: [UPGRADE AVAIL] ExtCalendar Vulnerability

Post by Elpie » Fri Jul 21, 2006 1:22 am

BoardJIVE wrote: Hmm.. All the extcalremoval does for me is download a copy in index2.php to my local machine.  I thought I had permissions cranked down to hard but other components installed fine.  Any ideas?
Can you give me more details please BoardJIVE? What's your system running?
For Mambo assistance: http://forum.mambo-foundation.org
Open Source Research & Best Practice: http://osprojects.info

User avatar
mom2nine
Joomla! Intern
Joomla! Intern
Posts: 53
Joined: Tue Aug 30, 2005 8:05 am
Location: Virginia
Contact:

Re: [UPGRADE AVAIL.] ExtCalendar Vulnerability

Post by mom2nine » Fri Jul 21, 2006 3:53 am

Want to add my heartfelt thanks for the folks who spent time fixing the problem with this component,  you guys ROCK!

User avatar
WebJIVE
Joomla! Explorer
Joomla! Explorer
Posts: 356
Joined: Thu Sep 15, 2005 6:04 pm
Location: Little Rock, Arkansas
Contact:

Re: [UPGRADE AVAIL] ExtCalendar Vulnerability

Post by WebJIVE » Fri Jul 21, 2006 12:53 pm

Elpie wrote:
BoardJIVE wrote: Hmm.. All the extcalremoval does for me is download a copy in index2.php to my local machine.  I thought I had permissions cranked down to hard but other components installed fine.  Any ideas?
Can you give me more details please BoardJIVE? What's your system running?
Hi Elpie.   My system is running Joomla 1.0.10 and extcal .91 and the latest events module.  I would provide more info in a PM if you would like.  A little paranoid these days with all the hacking.  This site is a customer site that I developed a while back.

Thanks for the GREAT work!!!
Last edited by Anonymous on Fri Jul 21, 2006 3:27 pm, edited 1 time in total.
Web Design, Hosting, Flash Development, Graphics & Logo Design
"The Web Made Easy"
http://www.web-jive.com

koltz
Joomla! Intern
Joomla! Intern
Posts: 66
Joined: Mon Nov 07, 2005 4:05 pm

Re: [UPGRADE AVAIL.] ExtCalendar Vulnerability

Post by koltz » Fri Jul 21, 2006 2:55 pm

Thanks for the fix and update.  Does anybody have the mod_extcalendar_latest file or does this still need to be fixed?  It allows you to post on the mian page upcoming events.

Thanks,

Corey

Slack
Joomla! Apprentice
Joomla! Apprentice
Posts: 7
Joined: Wed Sep 21, 2005 7:09 pm

Re: [UPGRADE AVAIL.] ExtCalendar Vulnerability

Post by Slack » Fri Jul 21, 2006 3:13 pm

Latest Events still needs to be fixed.

dpk, thanks for the "comment out" solution - dunno what effect it has, but at least the mini-calendar is running.

User avatar
fonny
Joomla! Intern
Joomla! Intern
Posts: 90
Joined: Fri Aug 26, 2005 8:27 am
Location: Westerlo

Re: [UPGRADE AVAIL.] ExtCalendar Vulnerability

Post by fonny » Sat Jul 22, 2006 12:10 pm

Elpie,

Thanks for the nice job. I was hit by a hacker.

Could you also inform the Security Focus website that a solution is available ? 
See http://www.securityfocus.com/bid/18876/solution
and the Echo Research Development Centre ? See
http://advisories.echo.or.id/adv/adv36- ... e-2006.txt

greetings
fonny

User avatar
Elpie
Joomla! Guru
Joomla! Guru
Posts: 903
Joined: Wed Aug 17, 2005 11:26 pm
Contact:

Re: [UPGRADE AVAIL.] ExtCalendar Vulnerability

Post by Elpie » Sat Jul 22, 2006 2:22 pm

Hi fonny,
SecurityFocus were notified but didnt read the email very carefully it seems ;)
They have ExtCalendar listed under a couple of different ID's and updated only one, but not with the correct information (http://www.securityfocus.com/bid/19042/solution).

davdrrm who did most of the coding for the updated version intends to get this up on the forge and onto the extensions site soon, which will make it easier for people to find.

 
For Mambo assistance: http://forum.mambo-foundation.org
Open Source Research & Best Practice: http://osprojects.info

User avatar
Elpie
Joomla! Guru
Joomla! Guru
Posts: 903
Joined: Wed Aug 17, 2005 11:26 pm
Contact:

Re: [UPGRADE AVAIL.] ExtCalendar Vulnerability

Post by Elpie » Sat Jul 22, 2006 2:25 pm

@BoardJIVE - have you changed anything on your site that may be preventing installation?  Nobody is able to reproduce the problem you are having and no-one else has reported it, so its looking likely that there is something in your site/server setup that is preventing installation.
Sorry, I know this is not much help :(
For Mambo assistance: http://forum.mambo-foundation.org
Open Source Research & Best Practice: http://osprojects.info

ssherlock
Joomla! Apprentice
Joomla! Apprentice
Posts: 29
Joined: Wed Oct 05, 2005 9:29 pm

Re: [UPGRADE AVAIL.] ExtCalendar Vulnerability

Post by ssherlock » Sat Jul 22, 2006 4:59 pm

Slack wrote: Latest Events still needs to be fixed.

dpk, thanks for the "comment out" solution - dunno what effect it has, but at least the mini-calendar is running.
Would this be as simple as adding the following?
defined( '_VALID_MOS' ) or die( 'Direct Access to this location is not allowed.' );
to the php files?

I should add I'm only asking because I've seen this mentioned elsewhere and it's NOIT because I actually know what I'm talking about! :)

I hope the above is the case because it is a very useful component and my site is missing it.

User avatar
Elpie
Joomla! Guru
Joomla! Guru
Posts: 903
Joined: Wed Aug 17, 2005 11:26 pm
Contact:

Re: [UPGRADE AVAIL.] ExtCalendar Vulnerability

Post by Elpie » Sun Jul 23, 2006 1:11 am

ssherlock wrote:
Slack wrote: Latest Events still needs to be fixed.

dpk, thanks for the "comment out" solution - dunno what effect it has, but at least the mini-calendar is running.
Would this be as simple as adding the following?
defined( '_VALID_MOS' ) or die( 'Direct Access to this location is not allowed.' );
to the php files?
No. Adding that line would make it safer, but it would still be vulnerable.
For Mambo assistance: http://forum.mambo-foundation.org
Open Source Research & Best Practice: http://osprojects.info


Locked

Return to “3rd Party/Non Joomla! Security Issues”