[UPGRADE AVAIL.] ExtCalendar Vulnerability

For all Non-Joomla! security issues. ie 3pd Components etc.

Moderator: General Support Moderators

Forum rules
Locked
ssherlock
Joomla! Apprentice
Joomla! Apprentice
Posts: 29
Joined: Wed Oct 05, 2005 9:29 pm

Re: [UPGRADE AVAIL.] ExtCalendar Vulnerability

Post by ssherlock » Fri Jul 28, 2006 7:26 pm

davidrrm wrote: Thanks to Otto's work we have a new mod_extcalendar_latest that has the check for _VALID_MOS at the top of each file, and fixes a few bugs.

- fix for artf3004 / artf3555 - fix for non-registered users (not authorized to ...)
- fix for artf3455 - problem with stipping bb code from event description
- fix for artf4535 - shows all day events in advance

This is available on the new ExtCalendar project site on JoomlaForge - http://developer.joomla.org/sf/projects/extcalendar.

Many thanks to Otto for his work on this.

david
Thanks guys, this is much appreciated.

deleted user

Re: [UPGRADE AVAIL.] ExtCalendar Vulnerability

Post by deleted user » Fri Jul 28, 2006 9:04 pm

excellent! thanks for the new latest events mod. Here's hoping to see quality programmers reclaim extcal.
Last edited by deleted user on Fri Jul 28, 2006 9:07 pm, edited 1 time in total.

Slack
Joomla! Apprentice
Joomla! Apprentice
Posts: 7
Joined: Wed Sep 21, 2005 7:09 pm

Re: [UPGRADE AVAIL.] ExtCalendar Vulnerability

Post by Slack » Fri Jul 28, 2006 9:19 pm

Yes, thanks very much for the Latest Events update!

Your version fixed a repeat listing of recurring event items, so thank you for that.  However, I do see a minor bug in that Any new event that is entered in the calendar, regardless of the future date of the event -- also gets listed in the "Recent Events" section.  Not a big deal, I just turned off "Recent Events" - but have others experienced this bug?

Cheers and thanks again,
slack

deleted user

Re: [UPGRADE AVAIL.] ExtCalendar Vulnerability

Post by deleted user » Sat Jul 29, 2006 2:49 am

Slack, what was fixed for repeating events? I didn't notice that.

Where should bugs, suggestions, and desired features be posted? Nothing is open for that at the extcal spot on joomlaforge yet.

Current bugs:
* BB code is visible in "flat"/flyer view
* latest events and minical mods: following inks lfrom both mods will open the calendar but blank out my right column. Seems to have to to do with multiple calendar menu items, like a "submit event" link, especially if it is a sub-menu option with "Calendar" as its parent item. Occasional mospathway confusion. (See http://www.riverwestneighborhood.org)

Desirable features:
* real, complete recurring events option
* allow html/mostlyce in event entry
* rss output
* email subscriptions
* ability to edit events from backend
* ability to treat events as articles and post to newsletters

User avatar
leolam
Joomla! Master
Joomla! Master
Posts: 20243
Joined: Mon Aug 29, 2005 10:17 am
Location: Netherlands/ UK/ S'pore/Jakarta/ North America
Contact:

Re: [UPGRADE AVAIL.] ExtCalendar Vulnerability

Post by leolam » Sat Jul 29, 2006 3:19 am

davidrrm wrote: Thanks to Otto's work we have a new mod_extcalendar_latest that has the check for _VALID_MOS at the top of each file, and fixes a few bugs.

- fix for artf3004 / artf3555 - fix for non-registered users (not authorized to ...)
- fix for artf3455 - problem with stipping bb code from event description
- fix for artf4535 - shows all day events in advance
This is available on the new ExtCalendar project site on JoomlaForge - http://developer.joomla.org/sf/projects/extcalendar.
Many thanks to Otto for his work on this.
david
I do concur...this is good and solid!

Very well done and many thanks!
Joomla's #1 Professional Services Provider:
#Joomla Professional Support: https://gws-desk.com -
#Joomla Specialized Hosting Solutions: https://gws-host.com -
#Joomla Webmaster Services: gws-webmaster.services

Slack
Joomla! Apprentice
Joomla! Apprentice
Posts: 7
Joined: Wed Sep 21, 2005 7:09 pm

Re: [UPGRADE AVAIL.] ExtCalendar Vulnerability

Post by Slack » Sat Jul 29, 2006 4:16 am

Slack, what was fixed for repeating events? I didn't notice that.
Hi dpk,

well - I never did come across anyone having a simlar problem -- this started a month or so ago -- I would have the same "Latest Event" list itself multiple times and they would all have the date 2026 (instead of 2006), these were recurring events. When one event passed by, another multiple listing would take its place.  Weird, but this update fixed that.

Pardon the digression, but I have a PM, but not the security to reply to it.  Am I missing something?

Thanks,
slack

User avatar
Da3dalus
Joomla! Apprentice
Joomla! Apprentice
Posts: 17
Joined: Wed Nov 09, 2005 8:36 pm
Contact:

Re: [UPGRADE AVAIL.] ExtCalendar Vulnerability

Post by Da3dalus » Sat Jul 29, 2006 7:38 am

david, you're a hero! THANKS!

8)

User avatar
sc00zy
Joomla! Exemplar
Joomla! Exemplar
Posts: 9532
Joined: Thu Aug 18, 2005 9:07 am
Location: Assen, Netherlands
Contact:

Re: [UPGRADE AVAIL.] ExtCalendar Vulnerability

Post by sc00zy » Sat Jul 29, 2006 8:53 am

davidrrm wrote: Thanks to Otto's work we have a new mod_extcalendar_latest that has the check for _VALID_MOS at the top of each file, and fixes a few bugs.

- fix for artf3004 / artf3555 - fix for non-registered users (not authorized to ...)
- fix for artf3455 - problem with stipping bb code from event description
- fix for artf4535 - shows all day events in advance

This is available on the new ExtCalendar project site on JoomlaForge - http://developer.joomla.org/sf/projects/extcalendar.

Many thanks to Otto for his work on this.

david
Thanks Otto and everybody else who has worked on the component and modules. It will make a lot of people very happy :D
Arjan Menger
https://welldotcom.nl - Puntgaaf Internetbureau

User avatar
Elpie
Joomla! Guru
Joomla! Guru
Posts: 903
Joined: Wed Aug 17, 2005 11:26 pm
Contact:

Re: [UPGRADE AVAIL.] ExtCalendar Vulnerability

Post by Elpie » Sat Jul 29, 2006 1:16 pm

dpk wrote: excellent! thanks for the new latest events mod. Here's hoping to see quality programmers reclaim extcal.
The new ExtCalendar project has been opened on the forge and project lead is davidrrm, whose wonderful work has meant that not only is the latest ExtCalendar secure but the old, abandoned project is now under new development and moving forward again.  ExtCalendar is alive and well and in some very capable hands :)
For Mambo assistance: http://forum.mambo-foundation.org
Open Source Research & Best Practice: http://osprojects.info

davidrrm
Joomla! Explorer
Joomla! Explorer
Posts: 251
Joined: Mon Sep 05, 2005 3:50 pm

Re: [UPGRADE AVAIL.] ExtCalendar Vulnerability

Post by davidrrm » Sat Jul 29, 2006 6:49 pm

Thanks for the kudos and to everyone else who has (and will - there's no way I'm going to have the time to take this on myself) helped out.

My apologies for being slow on the administrative details - getting the forge set up completely, uploading releases, even making the project public (oops :-) ). I'm spending some time today getting it up and we'll have trackers, etc. up and running.

davidrrm

User avatar
leolam
Joomla! Master
Joomla! Master
Posts: 20243
Joined: Mon Aug 29, 2005 10:17 am
Location: Netherlands/ UK/ S'pore/Jakarta/ North America
Contact:

Re: [UPGRADE AVAIL.] ExtCalendar Vulnerability

Post by leolam » Sat Jul 29, 2006 7:19 pm

davidrrm wrote: Thanks for the kudos and to everyone else who has (and will - there's no way I'm going to have the time to take this on myself) helped out.

My apologies for being slow on the administrative details - getting the forge set up completely, uploading releases, even making the project public (oops :-) ). I'm spending some time today getting it up and we'll have trackers, etc. up and running.

davidrrm
Dave i am offering help..you have my details
Leo
Joomla's #1 Professional Services Provider:
#Joomla Professional Support: https://gws-desk.com -
#Joomla Specialized Hosting Solutions: https://gws-host.com -
#Joomla Webmaster Services: gws-webmaster.services

IBJamon
Joomla! Apprentice
Joomla! Apprentice
Posts: 5
Joined: Sun Jul 30, 2006 1:18 am

Re: [UPGRADE AVAIL.] ExtCalendar Vulnerability

Post by IBJamon » Sun Jul 30, 2006 1:43 am

Hello, and thanks a lot for this new, secure ExtCalendar!  I noticed that you put up a site at http://developer.joomla.org/sf/projects/extcalendar, so I downloaded my copy from there.  I have one problem though, and since  I am new to this community, I'm not sure how to solve it.  :(  I resurrected an old post here: http://forum.joomla.org/index.php/topic,25046.0.html so, feel free to post there, or slap me silly because these people had the problem before this release.  Thanks ahead of time for your help!

  IBJamon

IBJamon
Joomla! Apprentice
Joomla! Apprentice
Posts: 5
Joined: Sun Jul 30, 2006 1:18 am

Re: [UPGRADE AVAIL.] ExtCalendar Vulnerability

Post by IBJamon » Sun Jul 30, 2006 1:28 pm

I was able to get part of the way there by enabling outbut_buffering in php.ini.  It's only partway there.  See the thread for more info.  Now I get two copies of the table, and save doesn't work...

    IBJamon

fireman
Joomla! Intern
Joomla! Intern
Posts: 96
Joined: Sun Aug 28, 2005 1:12 am
Location: Indianapolis, Indiana

Re: [UPGRADE AVAIL.] ExtCalendar Vulnerability

Post by fireman » Mon Jul 31, 2006 7:19 am

>:( everyone seems to be kissin up to the fact that this cal is back.  but why does it still have the search bug in it?  either it should be fixed or a sticky posted on how to change the code.
"...as for me and my house, we will serve the LORD."

User avatar
sc00zy
Joomla! Exemplar
Joomla! Exemplar
Posts: 9532
Joined: Thu Aug 18, 2005 9:07 am
Location: Assen, Netherlands
Contact:

Re: [UPGRADE AVAIL.] ExtCalendar Vulnerability

Post by sc00zy » Mon Jul 31, 2006 8:06 am

fireman wrote: >:( everyone seems to be kissin up to the fact that this cal is back.  but why does it still have the search bug in it?  either it should be fixed or a sticky posted on how to change the code.
It's a security release... please read back...
Arjan Menger
https://welldotcom.nl - Puntgaaf Internetbureau

User avatar
leolam
Joomla! Master
Joomla! Master
Posts: 20243
Joined: Mon Aug 29, 2005 10:17 am
Location: Netherlands/ UK/ S'pore/Jakarta/ North America
Contact:

Re: [UPGRADE AVAIL.] ExtCalendar Vulnerability

Post by leolam » Mon Jul 31, 2006 8:32 am

fireman wrote: >:( everyone seems to be kissin up to the fact that this cal is back.  but why does it still have the search bug in it?  either it should be fixed or a sticky posted on how to change the code.
If all these wonderful people would not have been so kind to spend loads of time you would have had now NO Ext-Calendar........at all!.....Please read as Ajran said....these people have worked around the clock tio make it possible for you to use the calendar at all.....

Leo
Joomla's #1 Professional Services Provider:
#Joomla Professional Support: https://gws-desk.com -
#Joomla Specialized Hosting Solutions: https://gws-host.com -
#Joomla Webmaster Services: gws-webmaster.services

deleted user

Re: [UPGRADE AVAIL.] ExtCalendar Vulnerability

Post by deleted user » Mon Jul 31, 2006 1:25 pm

Oh great, a search bug too? Let me know if anyone has a solution for it. I've already changed my version of the security release to fix several known bugs.

Will there be a new release soon that at least incorporates the old known bug fixes? That really should be done ASAP.

Ottobufonto
Joomla! Enthusiast
Joomla! Enthusiast
Posts: 118
Joined: Tue Sep 06, 2005 10:53 pm

Re: [UPGRADE AVAIL.] ExtCalendar Vulnerability

Post by Ottobufonto » Mon Jul 31, 2006 1:43 pm

Could people stop discussing about open bugs...
you can do three things to help.

- if you have a bug that bugs you - submit it to the  bug tracker.
- if you have a fix to a known bug - submit it to the bug tracker and include the fix.
- if you have a feature request - submit it to Feature Requests.

all can be found here.
http://forge.joomla.org/sf/tracker/do/l ... ar/tracker

Until then - this is a discussion about security related problems with Extcal - please stick to that.

If you have to post publicly about your issue - open a new thread in the appropriate forum.

User avatar
Elpie
Joomla! Guru
Joomla! Guru
Posts: 903
Joined: Wed Aug 17, 2005 11:26 pm
Contact:

Re: [UPGRADE AVAIL.] ExtCalendar Vulnerability

Post by Elpie » Mon Jul 31, 2006 1:44 pm

dpk wrote: Will there be a new release soon that at least incorporates the old known bug fixes? That really should be done ASAP.
That all depends on availability. Unfortunately, we each have to balance competing needs. I know that for me, bug fixes are a very low priority right now as I am already working on a schedule of very little sleep between employment and the huge number of hacked sites I am dealing with. Every new day is bringing more people knocking at my (virtual) door with more problems from hacked sites.
But, hey, this is open source so anyone who wants to can just get on with fixing bugs ;)
For Mambo assistance: http://forum.mambo-foundation.org
Open Source Research & Best Practice: http://osprojects.info

deleted user

Re: [UPGRADE AVAIL.] ExtCalendar Vulnerability

Post by deleted user » Mon Jul 31, 2006 2:27 pm

Elpie wrote:But, hey, this is open source so anyone who wants to can just get on with fixing bugs ;)
Well yes and no. I've done repairs for myself, but I can't change what people are downloading from joomlaforge and elsewhere.

If you want another thread for this, OK, but the bug topic shouldn't be shut down. When people have bug problems, google brings them here.

User avatar
Elpie
Joomla! Guru
Joomla! Guru
Posts: 903
Joined: Wed Aug 17, 2005 11:26 pm
Contact:

Re: [UPGRADE AVAIL.] ExtCalendar Vulnerability

Post by Elpie » Mon Jul 31, 2006 3:03 pm

ExtCalendar is used by both Joomla and Mambo and is getting discussed on several forums. Bugs, suggested fixes, etc HAVE to be on the project site on the forge otherwise it becomes an absolute nightmare to manage. 

The devs just cannot monitor every forum, nor can they be expected to keep checking this thread on the off-chance that someone is raising an issue unrelated to the security update.  Time spent checking forums is time taken away from coding.

Please use the tracker on the forge.
For Mambo assistance: http://forum.mambo-foundation.org
Open Source Research & Best Practice: http://osprojects.info

User avatar
RobinH
Joomla! Enthusiast
Joomla! Enthusiast
Posts: 177
Joined: Mon Sep 19, 2005 6:29 pm
Location: Lake Norman, North Carolina, USA

Re: [UPGRADE AVAIL.] ExtCalendar Vulnerability

Post by RobinH » Mon Jul 31, 2006 3:20 pm

Elpie wrote: Please use the tracker on the forge.
Hey Elpie, could you please post the link to the Forge dev site here so we can easily find it for this kind of stuff?

Thanx in advance!!!

deleted user

Re: [UPGRADE AVAIL.] ExtCalendar Vulnerability

Post by deleted user » Mon Jul 31, 2006 3:36 pm

The forge link has been posted several times already: http://forge.joomla.org/sf/projects/extcalendar
Please read further back in discussions!

I am posting wanted items and bugs to the forge. Where are other discussions of extcal issues that should be included?

Forums are still a good place to discuss them as long as people get referred to the forge and important info is posted there. Discussion forums is where google takes most people looking for solutions....

deleted user

Re: [UPGRADE AVAIL.] ExtCalendar Vulnerability

Post by deleted user » Mon Jul 31, 2006 3:58 pm

Anything we can do to get redirects or updates to the old extcal stuff here:
http://sourceforge.net/projects/extcal
http://mamboxchange.com/frs/?group_id=1168

deleted user

Re: [UPGRADE AVAIL.] ExtCalendar Vulnerability

Post by deleted user » Mon Jul 31, 2006 7:34 pm

new topic for general discussion of extcal:
http://forum.joomla.org/index.php/topic,81682.0.html

nemuelcruz
Joomla! Fledgling
Joomla! Fledgling
Posts: 4
Joined: Tue Aug 01, 2006 3:56 pm

Re: [UPGRADE AVAIL.] ExtCalendar Vulnerability

Post by nemuelcruz » Tue Aug 01, 2006 5:09 pm

THANKS TONS>.........

bitpt
Joomla! Fledgling
Joomla! Fledgling
Posts: 3
Joined: Wed Aug 02, 2006 11:33 pm
Contact:

Re: [UPGRADE AVAIL.] ExtCalendar Vulnerability

Post by bitpt » Wed Aug 02, 2006 11:44 pm

New mass exploit to sites with extcalendar not updated. i cacth the code in a german server and test updated.
they publish sites hacked today here:

http://www.suicast.org/forums.php?m=posts&q=110&n=last

the atack script code is in this domain hosted in german

http://barikat.org/........

Atacker don't use spoof or a proxy have a direct IP, try later, atack again but extcalendar update stop this atack.

If someone need more information contact me pls 
Last edited by bitpt on Thu Aug 03, 2006 12:39 pm, edited 1 time in total.

User avatar
infograf768
Joomla! Master
Joomla! Master
Posts: 19019
Joined: Fri Aug 12, 2005 3:47 pm
Location: **Translation Matters**

Re: [UPGRADE AVAIL.] ExtCalendar Vulnerability

Post by infograf768 » Thu Aug 03, 2006 6:14 am

bitpt wrote: New mass exploit to sites with extcalendar not updated. i cacth the code in a german server and test updated.
they publish sites hacked today here:

http://www.suicast.org/forums.php?m=posts&q=110&n=last

the atck script code is in this domain hosted in german

http://barikat.org/........

Atacker don't use spoof or a proxy have a direct IP, try later, atack again but extcalendar update stop this atack.

Is someone need more information contact me pls 

PM details to Robs.
Jean-Marie Simonet / infograf · http://www.info-graf.fr
---------------------------------
ex-Joomla Translation Coordination Team • ex-Joomla! Production Working Group

User avatar
Elpie
Joomla! Guru
Joomla! Guru
Posts: 903
Joined: Wed Aug 17, 2005 11:26 pm
Contact:

Re: [UPGRADE AVAIL.] ExtCalendar Vulnerability

Post by Elpie » Thu Aug 03, 2006 7:01 am

It's good to know that the ExtCalendar update has stopped this new exploit - thanks for sharing.
For Mambo assistance: http://forum.mambo-foundation.org
Open Source Research & Best Practice: http://osprojects.info

nemuelcruz
Joomla! Fledgling
Joomla! Fledgling
Posts: 4
Joined: Tue Aug 01, 2006 3:56 pm

Re: [UPGRADE AVAIL.] ExtCalendar Vulnerability

Post by nemuelcruz » Thu Aug 03, 2006 12:15 pm

Thanks for sharing this with all of us...

can you PM the details to me please?
Thank you
nc


Locked

Return to “3rd Party/Non Joomla! Security Issues”