[UPGRADE AVAIL.] ExtCalendar Vulnerability

[LeonZ]

Hi all,

I just stumbled into another problem. I am using the minical-module on the frontpage. When I click on a date in the minical the page which comes up tells me I don't have rights to view and have to login first.

On the other hand, when I click the menu-item for my calendar and the calendar is showing I can click in the minical without getting the notice. In other words minical works when viewing the calendar but without the calendar it is not.

URL = whiskypassion

I believe you have com_extcalendar published in two differnent menu items (perhaps on different menus). One with public access and one with Registered or Special access. The access rights are completely controlled by Joomla. When you click on the mini_cal on the front page, it does not have an Itemid for a menu item, so Joomla has to look through your menus to "guess" what access should be given. When you click on the menu item, it knows which Itemid to use, and can assign the right access permissions.
I tested this on your site by adding &Itemid=43 (the item id for your calendar menu item) to the URL for the mini_cal from the front page and was able to jump to the event.

david

David,
Thanks for helping me on the right track. I had the former menu item for the calendar in my trash and that one was for specials only.......

Glad everything works again.
Thanks all

[LeonZ]

@RobinH

Thanks for your PM.  Look at the times we posted. We found out the trash at the same time. I remember I had this thing once more but that was some time ago....so was out of my system..

[RobinH]

@LeonZ

Gracias amigo!!!¡¡¡  I totally spaced that, told David I felt like a total loser...lol... anyway, glad they're both up and running. Mine luckily is just on a test server and is not my "real" Joomla page. I do everything on the test server first, so that if I lose my brain, or it turns into gristle, I don't mess up my real site.....

Anyway, great forums here for this kind of info.  Also, ignore my post over at MamboGuru, it's the same as here....

[Floranett]

Thanks alot to the guys for this great work to make this security fix possible 

[Ottobufonto]

Guys,
just switched on debug while merging some of my venue mods...

I get an awful lot of Undefined variable: recur_nextStartStamp in lib/event.inc.php
and Undefined index: events in default/theme.php that I hadn't seen before...

Edit: just to clarify - those where not variables I added...
edit2: forget it - just figured out that those are all old and known... never mind... I guess I forgot that I had them in the past...

Otto

[svenl]

THANKS !!!

The upgrade of this Component and the MiniCal module seems to worked fine for me.

The only thing about "data" was that all my daily pictures disappeared 
But I have an zip-file with most of them in one computer at the office (upload tomorrow).

/Sven

[muni]

Thanks, you saved this little wonderfull component.

[Slack]

Thanks for updating and securing this compnent!

I successfully upgraded a test site, however I am getting an error on my live site (which has abut 500 calendar entries).  Both the ExtCalendar component and the Mini-calendar module seem to install properly.  However, when I publish the Mini-calendar I get this error:

Fatal error: Cannot access empty property in /home/weenie/public_html/mambo/components/com_extcalendar/lib/event.inc.php on line 241

Here is a code snippet for line 241:

Code: Select all

} else {

				$this->endDate = strtotime($row['end_date']);

			}  <=This is line 241! 

Any ideas?

Thanks!

[deleted user]

I'm having the same problem as Slack. This is the offending line:

if ($this->$recur_nextStartStamp) $target_stamp = $recur_nextStartStamp;

I dimly recall something similar with the old extcal. It had to do with the recurrent events function. Back then I found a fiix (in the mambo forum I think...) -- I'll look into it.

Anyway, I did have some existing extCal entries. The new component and mod installed fine (though it added a new, second "General" Category)

After the uninstall/new install I uninstalled the extcal latest events mod. I deleted my old Calendar menu link and emptied the trash.

Do I need to kill the old ExtCal search mambot as well?

Thanks a lot those of you who exposed the secuity risk and are working on the new version.

FYI, here are some bugs and oversights with the old extCal I;ve recorded:

1) recurrent events function required a patch/code change to make the recurrent events function work right. It is still too limited--needs to allow events that recur on a specific day of the week. That is how most recurrent events work.
2) user submitted events do not identify the author. Integration with profiles, or Community BUilder would be excellent.
3) if your template uses mosPathway, it does odd things (though not just with extcal). click one of the view options (like "monthy view" in extcal) or "upcoming events" from the old latest events mod, and mosPathway tells me I am located at "News->Submit News->Guidelines" or "Submit Events" on my site. (http://www.riverwestneighborhood.org) Also my "Submit News" (JASubmit com) menu item will expand as if you clicked it to reveal the submenu item it has, which is (on my site) a "Submission Guidelines" link.

[klaatu]

Is it normal to have a directory called "upload" with full privileges under /admin/components/com_exctcalendar ?  I can't seem to either change permissions of this directory or delete it.

[deleted user]

Looks like here is some relevant disccusion I haven't seen before of the fatal error problem in the old extcal, and the solution is a little suspect:
http://forum.joomla.org/index.php/topic,42828.0.html

And I see to recall finding help here:
http://mamboxchange.com/tracker/index.p ... =&start=25

Is this the best way to go--just comment out the problematic line? It does work, or seems to.

[deleted user]

FYI, as with the old minical, some users may have problems with it on their template, especially in IE browsers.

For those (like me) who are not HTML/CSS masters, go into the minical mod file and modify the numeric width settings to suit your needs. (I just change them all to 100%.) Most are set to 135 (pixels) except the "add event" bar, which is 139 for some reason. No matter what pixel width you make it, on IE6 the "add event" bar kicks out further to the right than the rest of the calendar.

Note there is also a good darker theme for mincal from gtek:
http://www.gotgtek.com/cms/downloads/cat_view-211.html

[Elpie]

Just remember that the new version is a security release. Although we found some bugs which we fixed, we did not try to fix all the bugs (if we had, people would still be waiting for the release) so some of the issues that arose with the original ExtCal and module will still be there. They are annoyances though, not security issues  
ExtCalendar will be actively developed now so those issues are likely to be addressed in future.
Hope this helps.

[pateta12]

Just remember that the new version is a security release. Although we found some bugs which we fixed, we did not try to fix all the bugs (if we had, people would still be waiting for the release) so some of the issues that arose with the original ExtCal and module will still be there. They are annoyances though, not security issues  
ExtCalendar will be actively developed now so those issues are likely to be addressed in future.
Hope this helps.

Thanks for doing everything that you are doing.

Is there anyway to have this release in the forge.
I am pretty sure that there is a lot of people that might not be even aware of the different security issues with 3rd party components (I was one of those).  If you have this in the forge then people will be "safer" even if they didn't even realize what was going on.


Thanks again...

[technopuzzle]

I want to give a big KUDOS to all those that worked on this security update. Great job!

I also wanted to mention that in the original Latest Events module there was some type of hack needed so that you could display /  clone / use multiple copies of this module at the same time. I don't really remember what the hack was (because it was soooo looooong ago). But just wanted to give the developers a little nudge nudge wink wink about this - so that this type of functionality could be built into the revised version.

WARNING
the module mod_extcalendar_latest[/b] is NOT SECURE!

First, I'd like to offer a big thank you to those who voluntarily stepped up to fix the security issues recently discovered with this extension.  Ironically, I was just going to ask if the related modules are part of the planned security fix release or not (in addition to the component)?  I don't recall reading that as of yet.  Also, just curious...has the extcal download been unpublished from extensions.joomla.org?  I haven't seen it there, and I know I grabbed it last month. 

--Roger

[Ottobufonto]

Hi unixboymd,
that was my patch... It was put on the forge as the baseline version for the lastest_event_mod.

Just install the version from the forge, use the copy function in the module manager - rename it, enable "limit Events to selected cats" and select which cats you want to see in either module.

there is an extra patch on the forge that changes one line for recurring events in case you want to limit the number of days you want to look ahead. (if you use it - make sure to replace the correct line)

NOTE: This version has NOT been bullet proofed by Elpie and the team !!!!!!

otto

[nathandiehl]

can i suggest that this new version be submitted to the extensions site?

[WebJIVE]

ExtCalendar Security Release (0.9.2)

This is a security release for ExtCalendar taken from the 0.9.1 drop. This should work on both Joomla! and Mambo.
DO NOT Uninstall the ExtCalendar component unless you have a backup of your data or are willing to lose all your events. The previous ExtCalendar uninstall removes its data tables.

Steps to upgrade:
1.      Backup your site, including your database. Mamboguru.com has detailed instructions for backing up and restoring db with phpMyAdmin at http://wiki.mamboguru.com/index.php?tit ... e_database
2.      Log in as an admin
3.      Install the com_ExtCalendarRemoval-RC1.zip component (this removes ExtCalendar without deleting the data). If it reports any errors, please delete those directories using an FTP client or a file manager.
4.      Uninstall the ExtCalendarRemoval component.
5.      Install the new com_extcalendar_0_9_2_RC4.zip.

Removal Component here: http://mamboguru.com/downloads/ExtCalen ... al-RC1.zip

New ExtCalendar upgrade here: http://mamboguru.com/downloads/ExtCalen ... _2_RC4.zip

Security Update for MiniCal here: http://mamboguru.com/downloads/ExtCalen ... _3_RC2.zip

If you experience any problems with downloading or using this security release, please contact us through the Mambo Guru forums. This update applies to both Mambo and Joomla and we just cannot keep an eye on all the forums individually.

Hmm.. All the extcalremoval does for me is download a copy in index2.php to my local machine.  I thought I had permissions cranked down to hard but other components installed fine.  Any ideas?

[lucke13b]

Just wanted to say THANK YOU VERY MUCH to all the developers that worked on this!  I have been monitoring this post ever since Phil Taylor announced the issue in his mailer (which I appreciated--thank you Phil!)  The upgrade could not have been any easier to perform.  Amazing team work from an amazing community!  You have all helped me help hurricane Katrina volunteers keep the schedule rolling (http://www.olgv.org/)!  Thanks again!

Sincerely,

Billy (Milwaukee, WI)

[Elpie]

You have all helped me help hurricane Katrina volunteers keep the schedule rolling (http://www.olgv.org/)!  Thanks again!

Life is full of coincidences and your post has made me very happy Billy. I don't want to take this thread off-topic, but of the things I do, apart from OS and other work, you might care to look at my "baby" (an opportunity for some collaboration maybe?) http://disastersearch.org). It's not using ExtCalendar though! LOL

[Elpie]

Hmm.. All the extcalremoval does for me is download a copy in index2.php to my local machine.  I thought I had permissions cranked down to hard but other components installed fine.  Any ideas?

Can you give me more details please BoardJIVE? What's your system running?

[mom2nine]

Want to add my heartfelt thanks for the folks who spent time fixing the problem with this component,  you guys ROCK!

[WebJIVE]

Hmm.. All the extcalremoval does for me is download a copy in index2.php to my local machine.  I thought I had permissions cranked down to hard but other components installed fine.  Any ideas?

Can you give me more details please BoardJIVE? What's your system running?

Hi Elpie.   My system is running Joomla 1.0.10 and extcal .91 and the latest events module.  I would provide more info in a PM if you would like.  A little paranoid these days with all the hacking.  This site is a customer site that I developed a while back.

Thanks for the GREAT work!!!

[koltz]

Thanks for the fix and update.  Does anybody have the mod_extcalendar_latest file or does this still need to be fixed?  It allows you to post on the mian page upcoming events.

Thanks,

Corey

[Slack]

Latest Events still needs to be fixed.

dpk, thanks for the "comment out" solution - dunno what effect it has, but at least the mini-calendar is running.

[fonny]

Elpie,

Thanks for the nice job. I was hit by a hacker.

Could you also inform the Security Focus website that a solution is available ? 
See http://www.securityfocus.com/bid/18876/solution
and the Echo Research Development Centre ? See
http://advisories.echo.or.id/adv/adv36- ... e-2006.txt

greetings
fonny

[Elpie]

Hi fonny,
SecurityFocus were notified but didnt read the email very carefully it seems
They have ExtCalendar listed under a couple of different ID's and updated only one, but not with the correct information (http://www.securityfocus.com/bid/19042/solution).

davdrrm who did most of the coding for the updated version intends to get this up on the forge and onto the extensions site soon, which will make it easier for people to find.

 

[Elpie]

@BoardJIVE - have you changed anything on your site that may be preventing installation?  Nobody is able to reproduce the problem you are having and no-one else has reported it, so its looking likely that there is something in your site/server setup that is preventing installation.
Sorry, I know this is not much help

[ssherlock]

Latest Events still needs to be fixed.

dpk, thanks for the "comment out" solution - dunno what effect it has, but at least the mini-calendar is running.

Would this be as simple as adding the following?
defined( '_VALID_MOS' ) or die( 'Direct Access to this location is not allowed.' );
to the php files?

I should add I'm only asking because I've seen this mentioned elsewhere and it's NOIT because I actually know what I'm talking about!

I hope the above is the case because it is a very useful component and my site is missing it.

[Elpie]

Latest Events still needs to be fixed.

dpk, thanks for the "comment out" solution - dunno what effect it has, but at least the mini-calendar is running.

Would this be as simple as adding the following?
defined( '_VALID_MOS' ) or die( 'Direct Access to this location is not allowed.' );
to the php files?

No. Adding that line would make it safer, but it would still be vulnerable.