[UPGRADE AVAIL.] ExtCalendar Vulnerability

[Wil]

Latest Events still needs to be fixed.

dpk, thanks for the "comment out" solution - dunno what effect it has, but at least the mini-calendar is running.

Would this be as simple as adding the following?
defined( '_VALID_MOS' ) or die( 'Direct Access to this location is not allowed.' );
to the php files?

No. Adding that line would make it safer, but it would still be vulnerable.

Any chance that it will be fixed on short term? 

[exian]

Rather than adding the _VALID_MOS check at the top of *EVERY* file, you could turn off the PHP setting register_globals. If you don't have access to the web host's php.ini, you may also be able to edit (if it exists) or create a file called .htaccess in Joomla's folder with the following contents:

php_value register_globals "0"

Note that this only works with Apache. ExtCalendar is not the only component affected. The phpBB2 bridge (com_forum) that I was using is also affected. I wouldn't be surprised if more crop up. I think the best solution is turning off register_globals.

If the component has a config file you could also add the following to it (assuming it's PHP):

if(strpos($mosConfig_absolute_path, '://')) {
  echo("Hack attempt detected!");
  exit;
}

This relies on the component including it's config file before anything else. Most do.

The exploit takes advantage of register_globals and allow_url_fopen being on, then goes to a page with: http://your.site.com/joomla/components/ ... er.com/xyz

Then any file that has include($mosConfig_absolute_path ."/some/file.php"); now includes the remote file in it's code. The attacker just creates a file called /some/file.php on their server and they can run anything they want right on your web server. I'm just saying a global solution is best.

---------------------
-- Ian
http://www.extrosoft.com

[SKv]

Any chance that it will be fixed on short term? 

I am working on it. It's not that I am crazy about it but I have to do it. 

Any help will be appreciated.

[emma]

Hi Everyone,

I need some software for a top banner, and 5 on the left hand side of the site and seven boxes on the left.....

I would like them to all be rotating.

Can anyone suggest which software i should use?

Thanks,
Rgds, Emma

[sc00zy]

Hi Everyone,

I need some software for a top banner, and 5 on the left hand side of the site and seven boxes on the left.....

I would like them to all be rotating.

Can anyone suggest which software i should use?

Thanks,
Rgds, Emma

Hi Emma,

This topic is about ExtCalendar.

Make a new topic for your question please.

[koltz]

Noticed a bug and didn't see it posted in this thread.  When viewing the calendar in Monthly View, and there are more than one event scheduled for that day, only one will be displayed multiple times, but if I click on daily view, it will then display fine.

This isn't just on my test site, but noticed it up on Riverwest Neighborhood's site:

http://www.riverwestneighborhood.org/co ... e,cal/lang,/

Corey

[Elpie]

This patch was given some time ago to fix that (note, I haven't tried it so use at your own risk)

Line 79:

Code: Select all

$database->setQuery("SELECT MAX(id) FROM #__menu WHERE link LIKE '%index.php?option=com_extcalendar%' AND published <> '
-
2'");

Change to:

Code: Select all

$database->setQuery("SELECT id FROM #__components WHERE link LIKE '%option=com_extcalendar%'");

[koltz]

Thanks for the code.  What file?  Should be integrated (and checked) with the new version of this also since it is a bug.

Corey

[Elpie]

Oops! Sorry, this is in mod_extcalendar_latest.php

[koltz]

Same thing

[leolam]

Noticed a bug and didn't see it posted in this thread.  When viewing the calendar in Monthly View, and there are more than one event scheduled for that day, only one will be displayed multiple times, but if I click on daily view, it will then display fine.

This isn't just on my test site, but noticed it up on Riverwest Neighborhood's site:
http://www.riverwestneighborhood.org/co ... e,cal/lang,/
Corey

1. this does not need to be a bug. it could be setting related
2. please post this in 3rd party component board as a new thread because i think we should keep this thread to the ExtCalendar Vulnerability issue?

cheers
Leo

[leolam]

Oops! Sorry, this is in mod_extcalendar_latest.php

Lynne,
I have send David the files i am talking about....the mod_extcalendar_latest.php does has the direct access protection but still open (we think)
but the second one in the package is extcal_latest_func.php which lacks any protection and is as open as the ozon layer above "Down-Under" and Kiwi-Islands"  So let's see where  Master-Dave comes up with 

Take care (both of you )

Cheers
Leo

[davidrrm]

Yep, extcal_latest_func.php is missing the defined("_VALID_MOS") or die line, but it's saved by having only functions in it, so if it were accessed directly no code would run. I think every file should have that direct access check, just to make it easier for us to audit components, so it should be added when the module is updated. I also dislike that the file is included in mod_extcalendar_latest.php prior to the defined("_VALID_MOS") line. Again, this does not appear to be a security problem now, but the code might be changed later in a way that would cause a problem.

Thanks for pointing this out. That file's hidden pretty well there.

david

[leolam]

Yep, extcal_latest_func.php is missing the defined("_VALID_MOS") or die line, but it's saved by having only functions in it, so if it were accessed directly no code would run. I think every file should have that direct access check, just to make it easier for us to audit components, so it should be added when the module is updated. I also dislike that the file is included in mod_extcalendar_latest.php prior to the defined("_VALID_MOS") line. Again, this does not appear to be a security problem now, but the code might be changed later in a way that would cause a problem.

Thanks for pointing this out. That file's hidden pretty well there.

david

dave,
according to some people who "claim" to be speicalist you might access the rest by utilizing this particulat file......your opinion?
cheers
Leo

[davidrrm]

Maybe it's because I'm up past my bedtime :-), but I don't see a way to get any code to run in that file. If someone accessed it directly, the file would be parsed but the only code in it is inside functions. There's no way to call those functions, so nothing would happen.

If the specialists have some more details about how an exploit might take advantage of it, I'd be interested in hearing it. As I mentioned, I think it's poor practice, but there doesn't appear to be a threat there.

david

[deleted user]

Oops! Sorry, this is in mod_extcalendar_latest.php

That can't be the correct file--it has nothing to do with the monthly displays. Plus, I don't even have this mod.

Time for a Reality Check: extCal is pretty but buggy and lacking in some major features that would make it really useful. Security fixes for it are nice, but who wants a secure, feature poor, buggy component?

I'm going to check out Events beta 1.3

[Elpie]

Time for a Reality Check: extCal is pretty but buggy and lacking in some major features that would make it really useful. Security fixes for it are nice, but who wants a secure, feature poor, buggy component?

Not you anyway  A lot of people are using it and were upset to find it was vulnerable.  David *is* going to work on it but you need to remember that ExtCalendar was abandonware and nothing had been done with it for the best part of a year. We didn't set out to fix the bugs or add features. The fact that some bugs were fixed in the security update was really incidental.  Heck, the three who worked on this (with David doing most of it) don't even use ExtCalendar on our sites!! LOL

[Ottobufonto]

Yep, extcal_latest_func.php is missing the defined("_VALID_MOS") or die line, but it's saved by having only functions in it, so if it were accessed directly no code would run. I think every file should have that direct access check, just to make it easier for us to audit components, so it should be added when the module is updated. I also dislike that the file is included in mod_extcalendar_latest.php prior to the defined("_VALID_MOS") line. Again, this does not appear to be a security problem now, but the code might be changed later in a way that would cause a problem.

Thanks for pointing this out. That file's hidden pretty well there.

Well, back then there weren't many open discussion about component security and it was a patch never really made to go public

Time for a Reality Check: extCal is pretty but buggy and lacking in some major features that would make it really useful. Security fixes for it are nice, but who wants a secure, feature poor, buggy component?

I'm going to check out Events beta 1.3

...

Reality check for who? Most people here use Extcal cause it has features they want - not cause there is no alternative. We all know that this project is not David's original work, not was it Scott and other David, nor Matt Friedman who made the fist mambo component.

Everybody that doesn't think Extcal meets their needs - please go and use something else! But please go quietly; otherwise stop complaining and start helping to improve the component.

People that where interested know that this version isn't even based on tha last beta of Extcal (which is alrady over a year old.
The Author is still working on it (very slowly though) and will hopefully publish a new beta some time soon.

Extcal has been adandonware on the Joomla/Mambo side for  along time. Maybe there are some good people ganging up as we speak to change that. IMHO the only way forward for a Joomla component is to get in contact with the original author and work off the latest code base and J10e (Joomla!ise) it. 

Edit: Apologies for OT post and polluting the thread.

Otto

[leolam]

All users do yourself a favor.....?

Please read back waht has been said and do not polute this thread....
Once agin here is the situation.........Many big vulnerabilities were discovered and many people have worked very hard to create a solution for thousands of very satisfied users of this calendar. Also go back a couple of posts where Elpie stated that something good might come out of this..so now just be unbelievable greatful to all these people guided by Elpie and David amongst many others who have tested the solutions as release (as i recall we had 3 or 4 overr the past week) which at the end resulted in a working calendar again. Now whether that ting is buggy or not is not relevant at this stage.....It is the most easiest calendar around and many people have been using it with lots of pleasure a have many of our customers.

So let's just wait and see what is coming out of it for beauty?

cheers 
Leo

[Nightmunky]

I saw a calendar component today called Thyme that appears to be ported for Joomla.  Anyone have experience with it?  I'm running news and information sites, we HAVE to have an events calendar.  Never dreamed something like this would happen, especially since I'd upgraded to 1.10 in Joomla.  Just goes to show, it can happen anytime, anywhere.

There's a 'Thyme' topic here: http://forum.joomla.org/index.php/topic,54772.0.html

[technopuzzle]

Is there any timeline on if/when you most gracious and generious developers will "fix" the issues with the latests events module?

No pressue from me, but my wife is really pitching a fit since I unpublished it / renamed it / disabled it on our site.

Thanks again for all the hard work and bringing this great calendar component back from the dead.

[deleted user]

Some people here are looking for solutions with an eye on the big picture: functional software.

Unfortunately, I have determined that ExtCal really is the best open source calendar that is available. There is no good alternative.

Yes it's great we have more secure version of ExtCal, but it remains a bug-laden, albeit pretty, POS. Denial doesn't make it better. Bugs are always relevant. Perhaps many people have enjoyed a buggy ExtCal, but I do not enjoy having mostly recurring events that ExtCal cannot handle, or multiple events per day, which will not display properly on the monthly view.

FYI, here is how to fix that last bug, which ought to be incorporated (with others mentioned earlier) into the latest file release:
http://forum.joomla.org/index.php?PHPSE ... 680.0.html
http://forum.joomla.org/index.php?topic=39582.msg321766

For the benefit of others who find or follow this thread looking for a good calendar system:

Events 1.3 is only marginally better than ExtCal. Its recurrent event options are badly organized, incomplete, and described in bad English that adds to the confusion. The author also appears not to have much familiarity with the mathematical peculiarities of the Gregorian calendar. Events List looks like the big winner with all kinds of extras, except it is more suited for club/entertainment notices and is now exclusively for Joomla. Thyme really appears to be the only quality calendar option; unfortunately it is a standalone commercial piece of software.

In the interest of being even more constructive, let me suggest that anyone developing ExtCal or any event calendar software first familiarize themselves with quality models: Thyme, Events List, and the simple and effective recurrent event concept in the interface for Microsoft Outlook.

[Da3dalus]

so what about ExcCal latest events module after all? we're waiting for it's security version passionately! :-*

[davidrrm]

My apologies, I thought this was posted already.

There is no known security issue with Ext calendar latest modulle. Yes, one file is missing the defined('_VALID_MOS') or die.. line, but that file consists entirely of functions so it has no code that will execute if called directly. Two of us have reviewed the code and while it may have other problems, a known security vulnerability is not one of them.

A version is being worked to improve it and we'll add that line to the file of functions just to make us all feel better, but in the meantime the previous release is fine (and I'll get it posted in the new project on the Forge when I get a spare minute).

If anyone has knowledge of a security vulnerability, please PM me with the details and we'll investigate.

david

[leolam]

My apologies, I thought this was posted already.
If anyone has knowledge of a security vulnerability, please PM me with the details and we'll investigate.
david

David,
The reason for me raising the alarm a couple of pages ago in this thread was the fact that the main file latest_extcalendar.php or so whatever the name is was NOT having the ('_VALID_MOS') or die.. line incorporated on two of our client sites! I do concur that the functions in the other file do not post a security thread itself after renewed consultations with the php-guys but as you stipulate the file could be hammered tied with some extra's as you are working on..I do think it is a good idea to post the file-version of mod_extcalendar_latest.php  you have just here as an attachment  (not the module) for people to overwrite their current version just to be sure that they all have the latest "more-or-less-secure" version. Sounds like a plan? 

cheers
Leo

[davidrrm]

In the two versions (numbered .5 and .7.2.5) I looked at the main file was fine. In .7.2.5 there's a function file that does not have the line, but is ok since it only has functions. If it increases everyone's feeling of security I'll update the function file and post it here. I'll do that in a few hours, I want to double check that it works with that change (I'm 99.999999% sure that it does, but I just want to be certain).

david

[leolam]

In the two versions (numbered .5 and .7.2.5) I looked at the main file was fine. In .7.2.5 there's a function file that does not have the line, but is ok since it only has functions. If it increases everyone's feeling of security I'll update the function file and post it here. I'll do that in a few hours, I want to double check that it works with that change (I'm 99.999999% sure that it does, but I just want to be certain).
david

With all respect with all you hav edone for this community (I so applaude you!)....The function file you talk about is extcal_latest_func.php This is not where i talked about...i suggested (!) to publish here "mod_extcalendar_latest.php" to secure people's emotions....Nothng wrong to insert the ('_VALID_MOS') or die.. line into the other file: extcal_latest_func.php  so again with all respect where do you need to be sure about? 

cheers
Leo

[mwep]

Thanks for helping to resolve the vulernabilities in ExtCal!

We are somewhat confused after reading the thread...

Is ExtCal Latest Events safe or should we remove it ?

Thanks!!!

[davidrrm]

I think there may be three versions running around, two which I've seen and one which I haven't but leolam has. If you feel comfortable looking through PHP code, you're looking for the line that starts

defined('_VALID_MOS') or die(

This should be in the mod_extcalendar_latest.php file. If it's there - great - if it's not, you do have a vulnerability.

If you don't want to do that and want to be on the safe side, I'd suggest removing the mod_extcalendar_latest for now (you must remove it, just unpublishing it doesn't do anything).

We'll hopefully have the definitely secure module shortly (i.e. within a day or two).

david

[davidrrm]

Thanks to Otto's work we have a new mod_extcalendar_latest that has the check for _VALID_MOS at the top of each file, and fixes a few bugs.

- fix for artf3004 / artf3555 - fix for non-registered users (not authorized to ...)
- fix for artf3455 - problem with stipping bb code from event description
- fix for artf4535 - shows all day events in advance

This is available on the new ExtCalendar project site on JoomlaForge - http://developer.joomla.org/sf/projects/extcalendar.

Many thanks to Otto for his work on this.

david