[UPGRADE AVAIL.] ExtCalendar Vulnerability

For all Non-Joomla! security issues. ie 3pd Components etc.

Moderator: General Support Moderators

Forum rules
Locked
n0fear2
Joomla! Apprentice
Joomla! Apprentice
Posts: 34
Joined: Tue May 23, 2006 3:33 pm

Re: ExtCalendar

Post by n0fear2 » Tue Jul 11, 2006 12:39 pm

Floranett wrote:
albi wrote:
Floranett wrote: Is there a new secure version of ExtCalender we can use?
[/quote

http://extensions.joomla.org/component/ ... Itemid,35/
Thanks alot albi m8, but can this be used with Mambo 4.5.3?  :)
Nice Calendar.. BUT this one can not use Pictures/Flyer/Logos ... so anyone knows a good one with able to upload flyer

 
User avatar
nathandiehl
Joomla! Champion
Joomla! Champion
Posts: 6044
Joined: Fri Aug 19, 2005 3:03 pm
Location: Indiana, USA
Contact:

Re: ExtCalendar

Post by nathandiehl » Tue Jul 11, 2006 12:52 pm

Floranett wrote: Thanks alot albi m8, but can this be used with Mambo 4.5.3?  :)
It might work on a mambo install, but you might seriously consider switching to Joomla!. after the forthcoming 1.5, mambo and Joomla! will continue to become more and more different.
Meaning, although it may work now, if, in six months there is a high-level security issue, the coders will fix it for 1.5 and likely will not worry about the 1.0.x codebase.

I would suggest you either convert to Joomla!, where you can obviously get more and better support, or else use a calendar component which will continue to be supported on mambo.
If you're new to Joomla, Please read Anna's Joomla! Tips: http://forum.joomla.org/viewtopic.php?t=5503

http://nathandiehl.com | Find out what makes me tick

Floranett
Joomla! Enthusiast
Joomla! Enthusiast
Posts: 160
Joined: Sun Mar 12, 2006 7:11 pm

Re: ExtCalendar

Post by Floranett » Tue Jul 11, 2006 12:57 pm

nathandiehl wrote:
Floranett wrote: Thanks alot albi m8, but can this be used with Mambo 4.5.3?  :)
It might work on a mambo install, but you might seriously consider switching to Joomla!. after the forthcoming 1.5, mambo and Joomla! will continue to become more and more different.
Meaning, although it may work now, if, in six months there is a high-level security issue, the coders will fix it for 1.5 and likely will not worry about the 1.0.x codebase.

I would suggest you either convert to Joomla!, where you can obviously get more and better support, or else use a calendar component which will continue to be supported on mambo.
Thank for the tip @nathandiehl , and I've seriously thinking about it. BUT...my site is BIG with a lot of components and modules ++ ..so Im a bit afraid not everything will work ok if I made the switch to Joomla ???

Can you have a look @nathandiehl  and pm me what you think?
I'll pm you my website url.

lib99
Joomla! Intern
Joomla! Intern
Posts: 90
Joined: Wed Sep 28, 2005 12:52 am
Location: New York, USA

Re: ExtCalendar

Post by lib99 » Tue Jul 11, 2006 1:20 pm

n0fear2 wrote: // no direct access
defined( '_VALID_MOS' ) or die( 'Restricted access' );

insert this in extcal.php  as far as i read this fiexes the problem? RIGHT?
Read RobS' suggestion above in this discussion thread:
http://forum.joomla.org/index.php/topic ... #msg390097

You need to add those lines to every file of the extcal component.  That is a minimum fix, there still may be other problems found.

pdstein
Joomla! Apprentice
Joomla! Apprentice
Posts: 18
Joined: Sat Jun 24, 2006 12:18 am

Re: ExtCalendar

Post by pdstein » Tue Jul 11, 2006 1:46 pm

I'm fairly new to Joomla and have several questions I'm hoping someone can answer to help clarify this situation.

The first issue, is as a stop-gap measure how to prevent the extCalendar from being exploited.
danialt wrote: Put the

defined('_VALID_MOS') or die('Direct Access to this location is not allowed.');

on the top of extcalendar.php..
1) Does this plug the hole and allow you to continue using extCalendar or does it suspend access to the extCalendar?

2) What is the best way to temporarily disable extCalendar until it becomes clearer whether a security update will be released or we need to change to a new calendar component?

3) As someone else asked, in what file is the "Powered by extCalendar" text.  If that's what hackers are searching for it could help to remove that text.

The next issue is where do we go from here...

4) Is there a process for continuing the development of a component that is no longer being actively worked on by the original developer?  Can/will someone else take over the development of this component?

5) What alternative calendar components are available?  I've seen eventCal mentioned 1.5 mentioned, but consider it was only released today I'm concerned that it has not been put through its paces and could be buggy or even have security holes itself.
Last edited by pdstein on Tue Jul 11, 2006 2:23 pm, edited 1 time in total.

countryboy
Joomla! Apprentice
Joomla! Apprentice
Posts: 45
Joined: Thu May 11, 2006 10:34 pm

Re: ExtCalendar

Post by countryboy » Tue Jul 11, 2006 6:49 pm

RobS wrote: There is a com_events and another calender that I have heard will be released tomorrow so stay tuned to the Extensions page and check that out. 
config.php has the statement in the script.  I am changing other files now.

Thanks.

User avatar
nathandiehl
Joomla! Champion
Joomla! Champion
Posts: 6044
Joined: Fri Aug 19, 2005 3:03 pm
Location: Indiana, USA
Contact:

Re: ExtCalendar

Post by nathandiehl » Tue Jul 11, 2006 7:27 pm

pdstein wrote: I'm fairly new to Joomla and have several questions I'm hoping someone can answer to help clarify this situation.

The first issue, is as a stop-gap measure how to prevent the extCalendar from being exploited.
danialt wrote: Put the

defined('_VALID_MOS') or die('Direct Access to this location is not allowed.');

on the top of extcalendar.php..
1) Does this plug the hole and allow you to continue using extCalendar or does it suspend access to the extCalendar?

2) What is the best way to temporarily disable extCalendar until it becomes clearer whether a security update will be released or we need to change to a new calendar component?

3) As someone else asked, in what file is the "Powered by extCalendar" text.  If that's what hackers are searching for it could help to remove that text.

The next issue is where do we go from here...

4) Is there a process for continuing the development of a component that is no longer being actively worked on by the original developer?  Can/will someone else take over the development of this component?

5) What alternative calendar components are available?  I've seen eventCal mentioned 1.5 mentioned, but consider it was only released today I'm concerned that it has not been put through its paces and could be buggy or even have security holes itself.
1. There is no guarantee this is the only hole. It might work. It might not. Development stopped on extCal2 a few years ago.
2. There will be no security update from the developer. It has not been developed for years, and it is unreasonable to assume an official fix will be issued. (although i give a 0.05% chance we could see a fix)
3. ahhh..do a search on your local computer for the text in a file. i don't know off hand. but this isn't a very good 'anti-hacking' scheme. pretty easy to get around.
4. haven't heard of any development in several years. You are welcome to further develop the component and release an update.
5. extensions site is here: http://extensions.joomla.org  search for calendars.
If you're new to Joomla, Please read Anna's Joomla! Tips: http://forum.joomla.org/viewtopic.php?t=5503

http://nathandiehl.com | Find out what makes me tick

Rommulus
Joomla! Apprentice
Joomla! Apprentice
Posts: 11
Joined: Mon Nov 21, 2005 8:50 pm

Re: ExtCalendar

Post by Rommulus » Wed Jul 12, 2006 1:00 am

I too was hit by this hack on Saturday evening, but thank goodness for BigApe ;D

I wondered about what steps I need to take to protect my site. Is it enough to disable the ExCal modules, do I need to rename the folder they are in, or should I just uninstall the component completely?

Thanks for your advice.

DP

User avatar
RobS
Joomla! Ace
Joomla! Ace
Posts: 1367
Joined: Mon Dec 05, 2005 10:17 am
Location: New Orleans, LA, USA
Contact:

Re: ExtCalendar

Post by RobS » Wed Jul 12, 2006 1:51 am

I would suggest you uninstall completely.
Rob Schley - Open Source Matters
Webimagery - http://www.webimagery.net/ - Professional Consulting Services
JXtended - http://www.jxtended.com/ - Free and Commercial Joomla! Extensions

User avatar
norman
Joomla! Enthusiast
Joomla! Enthusiast
Posts: 107
Joined: Thu Aug 18, 2005 2:25 pm
Location: us
Contact:

Re: ExtCalendar

Post by norman » Wed Jul 12, 2006 3:16 am

I have tried the repair suggested in this forum, but the only thing holding this hack at bay are my php.ini disallow settings and my security settings in httpd.conf.

too bad no one is working on this component as it really is the best of its kind.

How can I get more information about what this exploit is trying to do? I have a copy of the one that is trying to crack my sites.
"The journey is the destination"

ragots
Joomla! Apprentice
Joomla! Apprentice
Posts: 46
Joined: Wed Nov 30, 2005 3:42 pm

Re: ExtCalendar

Post by ragots » Wed Jul 12, 2006 7:37 am

Is it normal to still have install.extcalendar.php in the com_extcalendar folder ?
I deleted it.
No effect on the calendar which seems to run fine without it.

I was always told all install files should be deleted.

Am I wrong ?

User avatar
RobS
Joomla! Ace
Joomla! Ace
Posts: 1367
Joined: Mon Dec 05, 2005 10:17 am
Location: New Orleans, LA, USA
Contact:

Re: ExtCalendar

Post by RobS » Wed Jul 12, 2006 7:44 am

From what I remember they were only supposed to be run during the installation process.  If the component's xml file were misconfigured it could cause it to be installed like a regular file and therefore stick around after the installation process ended. 
Rob Schley - Open Source Matters
Webimagery - http://www.webimagery.net/ - Professional Consulting Services
JXtended - http://www.jxtended.com/ - Free and Commercial Joomla! Extensions

subliminaki
Joomla! Fledgling
Joomla! Fledgling
Posts: 2
Joined: Fri Sep 16, 2005 10:43 am

Re: ExtCalendar

Post by subliminaki » Wed Jul 12, 2006 9:24 am

http://www.frsirt.com/english/reference/15352

I've tried the xploit on my local server and it really works: the .txt file passed in the url is opened in the browser...

I added the two rows:

/** ensure this file is being included by a parent file */
defined( '_VALID_MOS' ) or die( 'Direct Access to this location is not allowed.' );

and the exploit do not work again

Is it possible that it is the only patch?

I've searched for the string "global $mosConfig_absolute_path;" and i've founded it only in com_extcalendar/extcalendar.php

Anyone has any idea?

User avatar
RobS
Joomla! Ace
Joomla! Ace
Posts: 1367
Joined: Mon Dec 05, 2005 10:17 am
Location: New Orleans, LA, USA
Contact:

Re: ExtCalendar

Post by RobS » Wed Jul 12, 2006 9:30 am

Yes, this is one of the ways to fix it, for now.  We are not sure if that will solve all of the problems related to that script though.  Also, make sure that you add that code to all of the files that extCalendar installed in components/com_extcalendar/ and administrator/components/com_extCalendar/.  I must advise that you try to migrate to another Calendar component as extCalendar has not been developed for a long time and could easily have more security issues.
Rob Schley - Open Source Matters
Webimagery - http://www.webimagery.net/ - Professional Consulting Services
JXtended - http://www.jxtended.com/ - Free and Commercial Joomla! Extensions

subliminaki
Joomla! Fledgling
Joomla! Fledgling
Posts: 2
Joined: Fri Sep 16, 2005 10:43 am

Re: ExtCalendar

Post by subliminaki » Wed Jul 12, 2006 10:28 am

I've seen that in the file cal_popup.php of extcalendar component there are these code lines:


/** Set flag that this is a parent file */
define( '_VALID_MOS', 1 );

why???

joomlaturk
Joomla! Explorer
Joomla! Explorer
Posts: 469
Joined: Thu Aug 18, 2005 10:40 pm
Location: las vegas USA
Contact:

Re: ExtCalendar

Post by joomlaturk » Wed Jul 12, 2006 1:27 pm

albi wrote:
Floranett wrote: Is there a new secure version of ExtCalender we can use?
http://extensions.joomla.org/component/ ... Itemid,35/
Maturity: Alpha

yeah, but eventcal is alfa version yet. that might mess up joomla very easy
installing any alfa 3P componants is not a good idea in my opinion
joomla 1.6 Türk destek sitesi http://www.joomlaturk.net/

Floranett
Joomla! Enthusiast
Joomla! Enthusiast
Posts: 160
Joined: Sun Mar 12, 2006 7:11 pm

Re: ExtCalendar

Post by Floranett » Wed Jul 12, 2006 1:32 pm

mamboturk wrote:
albi wrote:
Floranett wrote: Is there a new secure version of ExtCalender we can use?
http://extensions.joomla.org/component/ ... Itemid,35/
Maturity: Alpha

yeah, but eventcal is alfa version yet. that might mess up joomla very easy
installing any alfa 3P componants is not a good idea in my opinion
Tried it and wount work with Mombo 4.5.3.
Also been in contact with the author Kay through email telling me there probably be another version soon  :)

User avatar
PhilTaylor-Prazgod
Joomla! Ace
Joomla! Ace
Posts: 1220
Joined: Sat Aug 20, 2005 12:32 pm
Location: Jersey, Channel Islands
Contact:

Re: ExtCalendar

Post by PhilTaylor-Prazgod » Wed Jul 12, 2006 2:45 pm

Thanks to Greg, inthe team here at Blue Flame IT Ltd, for his hard work this week where we have de-hacked over 20 websites for customers globally.

See his recent post on the Latest news of http://www.phil-taylor.com/
A number of sites have been hacked due to a security vulnerability in extcalendar. There are a couple of issues which need to be considered in relation to this. Firstly all Joomla php files (other than the index.php files) should contain a line which prevents direct access to the file froma web browser. This line does the trick:

defined( ‘_VALID_MOS’ ) or die( ‘Restricted access’ );

This should be the first line of php code in the file.

Secondly if php is configured with allow_url_fopen set to “On” then the php code will be potentially able to open files on other servers, so the programmer must be very careful not to allow global variables in include/require statements.

A patched version of extcalendar.php is available to download (Link on the blog at http://blog.phil-taylor.com/ )

More information on register_globals.  (Link on the blog at http://blog.phil-taylor.com/ )
Phil Taylor
Founder, Lead Developer
- https://mySites.guru - Manage Multiple Joomla/WordPress Sites In One Dashboard for Security, Audits, Backups and more....
- https://www.phil-taylor.com/ - My Twitter Streams

User avatar
mediaguru
Joomla! Enthusiast
Joomla! Enthusiast
Posts: 142
Joined: Mon Sep 19, 2005 3:56 am
Location: USA
Contact:

Re: ExtCalendar

Post by mediaguru » Wed Jul 12, 2006 3:17 pm

I had a client's site get hacked.  Fixed it and they hacked it again.  So I've removed extcal since it wasn't used on this site much anyway.  We'll see if that solves it.

richm
Joomla! Intern
Joomla! Intern
Posts: 50
Joined: Sun Nov 20, 2005 9:05 pm

Re: ExtCalendar

Post by richm » Wed Jul 12, 2006 5:36 pm

danialt wrote: 3) As someone else asked, in what file is the "Powered by extCalendar" text.  If that's what hackers are searching for it could help to remove that text.
I found it in the language file for extCalendar.  There is a 'Powered by %S' defined as the signature.  I blanked it out for now, but since the search engines cache pages of your site, it is not the best fix.

User avatar
brian
Joomla! Master
Joomla! Master
Posts: 11957
Joined: Fri Aug 12, 2005 7:19 am
Location: Leeds, UK
Contact:

Re: ExtCalendar

Post by brian » Wed Jul 12, 2006 5:54 pm

its the url they are searching for eg com_extcal....
"Exploited yesterday... Hacked tomorrow"
Blog http://brian.teeman.net/
Joomla Hidden Secrets http://hiddenjoomlasecrets.com/

pdstein
Joomla! Apprentice
Joomla! Apprentice
Posts: 18
Joined: Sat Jun 24, 2006 12:18 am

Re: ExtCalendar

Post by pdstein » Wed Jul 12, 2006 6:19 pm

PhilTaylor-Prazgod wrote: Thanks to Greg, inthe team here at Blue Flame IT Ltd, for his hard work this week where we have de-hacked over 20 websites for customers globally.

See his recent post on the Latest news of http://www.phil-taylor.com/
A number of sites have been hacked due to a security vulnerability in extcalendar. There are a couple of issues which need to be considered in relation to this. Firstly all Joomla php files (other than the index.php files) should contain a line which prevents direct access to the file froma web browser. This line does the trick:

defined( ‘_VALID_MOS’ ) or die( ‘Restricted access’ );

This should be the first line of php code in the file.

Secondly if php is configured with allow_url_fopen set to “On” then the php code will be potentially able to open files on other servers, so the programmer must be very careful not to allow global variables in include/require statements.

A patched version of extcalendar.php is available to download (Link on the blog at http://blog.phil-taylor.com/ )

More information on register_globals.  (Link on the blog at http://blog.phil-taylor.com/ )
Thanks for posting this patch.  You said, "all Joomla php files (other than the index.php files) should contain a line which prevents direct access to the file from web browser." and yet the patch you've posted only adds that line to extcalendar.php.  So, does that line need to be added to all php files for the extCalendar component to patch the security vulnerability?  Or are you saying that best practice is to add that line to all php files, but in this case you really only need to update extcalendar.php?

User avatar
svenl
Joomla! Ace
Joomla! Ace
Posts: 1032
Joined: Mon Oct 17, 2005 1:50 pm
Location: Närke, Sweden
Contact:

Re: ExtCalendar

Post by svenl » Wed Jul 12, 2006 6:43 pm

I really like this calendar component and it's mini calendar with daily pictures.

I hope that someone can take care of the component and plugins and do an update to 1.5 standard and take away the security risk in it.
This was the first time I get hacked and it took me 2-3 hours to restore everything and do the updates in the ExCals php-files.

This time it seems that the hackers didn't destroy anything or put something own on the webplace, but next time??

/Sven
8)
-
Sanningen finns där ute, har du sökt efter ditt svar?
var svaret bra och löste ditt problem? Glöm då inte att ändra ditt första inlägg till löst (Solved)

User avatar
Joomlamahesh
Joomla! Apprentice
Joomla! Apprentice
Posts: 34
Joined: Mon Nov 28, 2005 5:00 pm
Location: Mumbai, India
Contact:

Re: ExtCalendar

Post by Joomlamahesh » Thu Jul 13, 2006 7:59 am

I also liked the component very much, but after going through varous security issues posted on this forum, a have uninstalled it and deleted all the folders relevant to it.

Even though I had applies all patches in the abovementioned discussion, made RG=off, written .htaccess file as per posts mentioned in other thread, I decided to delete the component for following reasons

1) Nobody is sure whether

defined( ‘_VALID_MOS’ ) or die( ‘Restricted access’ );
is the only problem.

2) There is no active development of this very beautiful component.

3) I don't want to get hacked again, and possibly this is the only vulnerable component I am using on my site. For other componets, either they are safe or there is no active discussion on their vulnerability.
A man is not finished when he is defeated,
He is finished when he quits

User avatar
Gregorius
Joomla! Apprentice
Joomla! Apprentice
Posts: 34
Joined: Sun Aug 21, 2005 4:34 am
Location: Melbourne, Australia
Contact:

Re: ExtCalendar

Post by Gregorius » Thu Jul 13, 2006 9:04 am

I have not yet implemented extCalendar, but I plan to on the new version of my site which i'm working on now.  I have been looking for a calendar component for my site for ages, that can do everything i need, and this is THE ONLY ONE that does it elegantly.

Therefore, I really really really still want to use it.  I do hope somebody can patch it.. either way I will be using it anyway... a more pressing concern for me than the security concerns (i'm sure there will be a fix for it eventually) is the fact that there is no active development, and it therefore may not work for Joomla 1.5... that is the most dissappointing thing for me. 

Anyway, thats my 2c worth... i'll be watching this forum to see what becomes of this whole saga.

thanks for all the info guys
greg
DoofCentral - Your Psychedelic Universe
http://www.doofcentral.com
- Trying to upgrade to Joomla, but that brick wall is starting to win the battle. :(

eggic
Joomla! Fledgling
Joomla! Fledgling
Posts: 1
Joined: Thu Jul 13, 2006 11:27 am

Re: ExtCalendar

Post by eggic » Thu Jul 13, 2006 11:41 am

I just registered to post these two links.  The vuneralibility talked about here has been known since April at http://forums.maroctour.com/index.php?a ... lm=default in the extcal forums.  http://forums.maroctour.com/index.php?a ... lm=default claims to have notified the Joomla Devs back on June 1st of this problem also.  The first offers a possible solution, but according to the second's description of the problem, it might not be complete.

davidrrm
Joomla! Explorer
Joomla! Explorer
Posts: 251
Joined: Mon Sep 05, 2005 3:50 pm

Re: ExtCalendar

Post by davidrrm » Thu Jul 13, 2006 12:07 pm

Several of us are working on a patched version of Extcalendar. I hope we can have a release today or tomorrow.

Anyone interested in helping test this before releasing, please PM me.

If anyone else has started working on a patched ExtCalendar, please PM me as well and we can combine our efforts.

david

User avatar
Elpie
Joomla! Guru
Joomla! Guru
Posts: 903
Joined: Wed Aug 17, 2005 11:26 pm
Contact:

Re: ExtCalendar

Post by Elpie » Thu Jul 13, 2006 12:28 pm

Further to what David has said, please read this post: http://forum.joomla.org/index.php/topic ... #msg394539
For Mambo assistance: http://forum.mambo-foundation.org
Open Source Research & Best Practice: http://osprojects.info

User avatar
zuze
Joomla! Explorer
Joomla! Explorer
Posts: 290
Joined: Sat Feb 11, 2006 9:43 pm
Location: Birmingham, USA
Contact:

Re: ExtCalendar

Post by zuze » Thu Jul 13, 2006 7:38 pm

I really like the extCalendar as well, and do not want to give it up  easily  8)

If to go to all the trouble to rename folder names, like com_extcalendar to something else, like com_bigbadwoolf, and all the references in the component and module files, that should make the renamed calendar invisible to any future automated attacks?  ???

Also, I just tested the script that I got hacked with against the identical Joomla site I have (one that I do not use anymore) by applying the script, and it gave me the same hack even with the

defined( ‘_VALID_MOS’ ) or die( ‘Restricted access’ );

inserted.

See this post for info and look at the proof of concept: http://www.securityfocus.com/archive/1/439451

What does the "sanitize variabel $mosConfig_absolute_path in extcalendar.php"  mean?



Check this post for the extcalendar
Last edited by zuze on Thu Jul 13, 2006 8:03 pm, edited 1 time in total.
The key to your life is how well you deal with plan "B".
Latvian Project http://joomlacode.org/gf/project/joomla_latvian/ | http://www.joomlalv.org

User avatar
Elpie
Joomla! Guru
Joomla! Guru
Posts: 903
Joined: Wed Aug 17, 2005 11:26 pm
Contact:

Re: ExtCalendar

Post by Elpie » Thu Jul 13, 2006 10:58 pm

That vulnerability has already been fixed in the upgrade that we should have out soon.
We are in the final testing stages now.
For Mambo assistance: http://forum.mambo-foundation.org
Open Source Research & Best Practice: http://osprojects.info

 

Locked

Return to “3rd Party/Non Joomla! Security Issues”