Page 3 of 10

Re: ExtCalendar

Posted: Thu Jul 13, 2006 11:10 pm
by Floranett
Elpie wrote: That vulnerability has already been fixed in the upgrade that we should have out soon.
We are in the final testing stages now.
Thats great news Elpie :D

Re: ExtCalendar

Posted: Fri Jul 14, 2006 8:28 am
by Gregorius
Great news indeed.. thank you for your efforts guys... its muchly appreciated.

Re: ExtCalendar

Posted: Fri Jul 14, 2006 8:47 am
by leolam
Client of mine also hacked...nothing wrong with configuration.php but the index.php was replaced......
waiting for the patch.....
cheers
Leo

Re: ExtCalendar

Posted: Fri Jul 14, 2006 11:08 am
by Elpie
Testing is well underway Leo - hope to have it available for you soon.

Re: ExtCalendar

Posted: Fri Jul 14, 2006 11:11 am
by leolam
Elpie wrote: Testing is well underway Leo - hope to have it available for you soon.
need testing and hack-attempt assistance?
cheers
Leo

Re: ExtCalendar

Posted: Fri Jul 14, 2006 1:07 pm
by RobinH
leolam wrote:
Elpie wrote: Testing is well underway Leo - hope to have it available for you soon.
need testing and hack-attempt assistance?
cheers
Leo
Ditto here.  I'm on a VPS and haven't had any hack attempts since moving to it, but would be willing to do testing with you.

Re: ExtCalendar

Posted: Fri Jul 14, 2006 1:17 pm
by lboccia
I dashur Albi,
  can you confirm that using the Calendar version you suggested there are no known security issues?

Të fala (Regards),
Luigi

Re: ExtCalendar

Posted: Fri Jul 14, 2006 1:21 pm
by svenl
Elpie wrote: Testing is well underway Leo - hope to have it available for you soon.
Thanks for this.

Even if it still are a "beta" and in testing mode, is it possible to have "hands on it" and start implement ExCalendar again.

Is it anybody that also will start to develop this component futher??

/Sven
8)

Re: ExtCalendar

Posted: Fri Jul 14, 2006 1:50 pm
by Elpie
We are not releasing it until it has been thoroughly tested.  The reason for this is that we need to be certain that it works as intended without causing problems. When we looked into the code we found that there was a lot more to do to fix security issues than just preventing direct access and we had to write the update so it would install the new version and completely remove the old one.

Do NOT uninstall the ExtCalendar you have now, through the Joomla backend admin, unless you have a backup or are prepared to lose all your events. The current version deletes all its data tables when it is uninstalled.

And, don't worry, ExtCalendar is not an orphan project any more. We will be looking after it :)

Re: ExtCalendar

Posted: Fri Jul 14, 2006 1:53 pm
by PhilTaylor-Prazgod
Elpie wrote:Do NOT uninstall the ExtCalendar you have now
Misleading advice.

Possibly reword like this:

"Do not use the Joomla Uninstall method in Joomla ADmin for uninstalling extCalendar right now as the would remove your events and they would be lost for ever - HOWEVER YOU MUST remove manually using FTP or SSH the /components/com_extcalandar/ folder and all files below in order to prevent your site getting hacked."


:-)~ :-)

Re: ExtCalendar

Posted: Fri Jul 14, 2006 2:04 pm
by Elpie
Agreed, I missed a couple of words ;)  Fixed that now.
All going well, the release should only be a matter of hours away.

Re: ExtCalendar

Posted: Fri Jul 14, 2006 2:13 pm
by RobinH
Actually I don't think that removing the component, regardless of the method used, is a 'must'.  If your site is secure, and in my case on your own server, the odds of a hacking event are somewhat mitigated.

I don't think we should state that just because there's an issue, users should remove the product.  And how long will we have to wait for the fix?  I doubt we have to wait much longer, as these guys seem to really have pride in their product and my feel is they'll be providing us a very good solution in very little time. 

I just would hate to "stampede the cattle" by shouting 'fire, fire, fire' when some of us may be at risk, but not been hacked, but the hack-proof solution is soon to come.  Most of us get that knee-jerk reaction when we start hearing about these hacker events, but there are enough suggestions floating around to where I believe one could secure their site well enough until the solution is provided.

Anyway, that's my thought on this.  I'm waiting patiently for that update myself, as I feel that this product is now an integral part of my site and I definitely don't want to lose it.

Re: ExtCalendar

Posted: Fri Jul 14, 2006 2:23 pm
by PhilTaylor-Prazgod
If your site is secure, and in my case on your own server, 
Exactly how many Joomla Users have that though???? And even if they do - do they have the knowledge to make a server secure - probably not.

Try telling that the the people that got hacked - to the 50+ people that have employed my company to fix their sites after the hackers.... Some of which were dedicated servers!

I'm not yelling fire fire fire - Im being real and serious about a real and expanding threat to hacking of 3PD

Re: ExtCalendar

Posted: Fri Jul 14, 2006 2:33 pm
by leolam
PhilTaylor-Prazgod wrote:
Misleading advice.
Possibly reword like this:
"Do not use the Joomla Uninstall method in Joomla ADmin for uninstalling extCalendar right now as the would remove your events and they would be lost for ever - HOWEVER YOU MUST remove manually using FTP or SSH the /components/com_extcalandar/ folder and all files below in order to prevent your site getting hacked."
Incorrect wording and confusing for newbies and people who do not have YOUR knowledge!

Please realise that we (more experienced people) are here to help and protect the users of this fantastic Joomla-product and that we are not in this to play games and use the situation to promote!

Most likely rewording so people with less KB understand this as well!:

"Do NOT uninstall the ExtCalendar you have now, through the Joomla backend admin, because you will loose all your events.  The current version deletes all its data tables where the events are stored when it is uninstalled through the uninstaller of the admin backend." If you want to maintain your events which are stored in the database-tables while waiting for the new EXT Calendar patch you should strongly consider to remove manually (using FTP or your cPanel-filemanager or equivalent panel) the /components/com_extcalandar/ folder and all files below. This will secure for now your system from being hacked through this component and keeps your events in the database for future use when the new files and folders are available whch will be soon."

next@ Phil...You promote on your website a hack for download solving this issue... Your rewording above is though contradiction to the "patch" on your site since it advises to remove the folders instead of applying the patch as you promote on your site? Can you please clarify this to avoid misunderstanding?
PhilTaylor-Prazgod wrote: Try telling that the the people that got hacked - to the 50+ people that have employed my company to fix their sites after the hackers....
I'm not yelling fire fire fire - Im being real and serious about a real and expanding threat to hacking of 3PD
I am simply asking how your rewording from above fits this message. The people who are currently working on this new patch are addressing serious sql-issues and others related to EXT Calendar as well.....Could you shine your light on this as well because it seems that a little bit more is present than you have addressed in your patch if i understand this correct? Please advise becasue i would love to know if i can use your patch you have installed with your 50 or so users or should i uninstall as you suggest in your rewording? Is your patch safe and does it solves the issue?

thanks
Cheers
Leo

Re: ExtCalendar

Posted: Fri Jul 14, 2006 2:40 pm
by PhilTaylor-Prazgod

leolam wrote: Client of mine also hacked...nothing wrong with configuration.php but the index.php was replaced......
waiting for the patch.....
cheers
Leo
Maybe if the "more experienced" had advised his customer correctly he would not hack got hacked !!
Maybe if the "more experienced" had the experience he could patch or help his customer right away?

Please realise that we (more experienced people) are here to help and protect the users of this fantastic Joomla-product and that we are not in this to play games and use the situation to promote!
Not sure if you are counting your self more experienced then me or that you think I am trying to promote my services ? or both.  Infact I do this for a living is a fact - I cant change that - and yes I do charge and yes I do make money - get over it - thats my job! - it also means that I am very experienced.

At the end of the day if users leave excalendar.php or file_upload.php or image_upload.php on their server they seriously risk getting hacked. Even if they are leaving it there waiting for a new release to be made.

Two choices:
1) remove the files - dont get hacked
2) leave the files - risk getting hacked.

I personally was involved in one of the first hacks of this wave last friday - and since then I have spend 12 hours of every day - along with two staff members fixing hacked sites around the world.  I am experienced in the hackers methods and entry points and know I personally can protect a server from hacking.

Re: ExtCalendar

Posted: Fri Jul 14, 2006 3:00 pm
by leolam
PhilTaylor-Prazgod wrote: @leo
Im not interested in your nit picking personal flaming thread posts - go and find some one else to troll and I'll simply get on with doing what I was doing before you decided to popin.
may i object to this flame and abuse? I ask you a very descent question, one which is not flaming and one which is very fair question? I asked you if your thread was solving the issue and i made a clarification on the remark. What is wrong with asking if your solution solves it? OPlease advise  why you need to be aggresive and abusive?
leolam wrote: Client of mine also hacked...nothing wrong with configuration.php but the index.php was replaced......
waiting for the patch.....
cheers
Leo
Maybe if the "more experienced" had advised his customer correctly he would not hack got hacked !!
thanks you for that...I could reply very easy with a remark that i read somewhere that you just helped 50 of your customers but i won't becasue i just asked a descent question on which i have not yet got an answer. Does your patch solves the issue was the question? If so I am happy and we will apply ity to the customer's site!!

Please note that i do not understand your aggression and or your frustration. I even posted a thank you message on your blog at http://blog.phil-taylor.com for sharing your solution with us...I read now that we have other developments (Elpie's posts) and possible other hacks or releases and i ask a question......the answer is insults? May I be displeased with that approach?

Cheers
Leo

Re: ExtCalendar

Posted: Fri Jul 14, 2006 3:03 pm
by PhilTaylor-Prazgod
just helped 50 of your customers
Actually they were not customers of mine  - but they are now cause they knew where to turn when they were let down by other so called "more experienced"

The fact is, and this thread proves, that there is a lot of people thinking they are qualified to give advice.  Even bad advice. 

Your posts have done nothing for this thread.

I conclude (on topic)

If you have files extcalendar.php, file_upload.php, image_upload.php (or perForms) on your site then you are liable to be hacked if have not taken action to remove, patch, or protect yourself agains a string of automated, self replicating attacks.  You are also vunerable if you have taken action based on some incorrect advice (like modifing htaccess files I read somewhere)

You have been warned.

Re: ExtCalendar

Posted: Fri Jul 14, 2006 3:16 pm
by leolam
PhilTaylor-Prazgod wrote: The fact is, and this thread proves, that there is a lot of people thinking they are qualified to give advice.  Even bad advice. 
completely agree without doubt!
If you have files extcalendar.php, file_upload.php, image_upload.php (or perForms) on your site then you are liable to be hacked if have not taken action to remove, patch, or protect yourself agains a string of automated, self replicating attacks.  You are also vunerable if you have taken action based on some incorrect advice (like modifing htaccess files I read somewhere)
You have been warned.
which is without doubt an excellent advise! but:

Phil,
once again I ask you if your patch which is downloadable from your site solves indefinitely this vulnarability which has been discovered recently? Is it too much asked to give a straight answer to that question which is a fair request? On the bad advise i do concur by the way. the .htaccess remarks are not applicable in this situation and does not solve anything. So in other words if i understand you correct that if I would apply your patch I do not have to fear anymore and i cannot get hacked through the ext.calendar vulnerability any longer?  :)
Cheers
Leo

Re: ExtCalendar

Posted: Fri Jul 14, 2006 3:21 pm
by albi
lboccia wrote: I dashur Albi,
  can you confirm that using the Calendar version you suggested there are no known security issues?

Të fala (Regards),
Luigi
Pershendetje miku im

No known security issues till now for this calendar

http://extensions.joomla.org/component/ ... Itemid,35/

Regards
dimitri

Re: ExtCalendar

Posted: Fri Jul 14, 2006 3:24 pm
by PhilTaylor-Prazgod
Phil,
once again I ask you if your patch which is downloadable from your site solves indefinitely this vulnarability which has been discovered recently? Is it too much asked to give a straight answer to that question which is a fair request? On the bad advise i do concur by the way. the .htaccess remarks are not applicable in this situation and does not solve anything. So in other words if i understand you correct that if I would apply your patch I do not have to fear anymore and i cannot get hacked through the ext.calendar vulnerability any longer?  Smiley
Cheers
Simple answer.  The patch on my blog has been removed in favour of the pending combined developers re-release of ExtCalendar which I have been aware of for some time. The patch that was available on my site was developed inhouse at speed for a particular customer and fixed all file include vunerabilities in that single file. Since that time other SQL injection and string manipulatiuon issues have been found and the patch removed from my site.

I have been in almost daily touch with Martin Brampton (Ex Mambo Core Lead Developer) and he has been working with the team on securing ExtCalendar.  I have offered to promote the official release he and the team of developers will make available soon to my mailing list of over 10,000 Joomla users worldwide (The same list I announced the issues to at the beginning of this week).

Re: ExtCalendar

Posted: Fri Jul 14, 2006 3:31 pm
by leolam
PhilTaylor-Prazgod wrote:
Phil,
once again I ask you if your patch which is downloadable from your site solves indefinitely this vulnarability which has been discovered recently? Is it too much asked to give a straight answer to that question which is a fair request? On the bad advise i do concur by the way. the .htaccess remarks are not applicable in this situation and does not solve anything. So in other words if i understand you correct that if I would apply your patch I do not have to fear anymore and i cannot get hacked through the ext.calendar vulnerability any longer?  Smiley
Cheers
Simple answer.  The patch on my blog has been removed in favour of the pending combined developers re-release of ExtCalendar which I have been aware of for some time. The patch that was available on my site was developed inhouse at speed for a particular customer and fixed all file include vunerabilities in that single file. Since that time other SQL injection and string manipulatiuon issues have been found and the patch removed from my site.

I have been in almost daily touch with Martin Brampton (Ex Mambo Core Lead Developer) and he has been working with the team on securing ExtCalendar.  I have offered to promote the official release he and the team of developers will make available soon to my mailing list of over 10,000 Joomla users worldwide (The same list I announced the issues to at the beginning of this week).
Thank you for your reply....that was all i asked for in my initial post. On the remainder i will post in private to the known channels. As usual it was my pleasure  :-\

Cheers
Leo

Re: ExtCalendar

Posted: Fri Jul 14, 2006 3:54 pm
by RobinH
Weeeeeeeeeeeeeeeeea hah.... sometimes these forums can be oh so much fun!!!  :laugh:

This is what I meant in an earlier post about developers not wanting to hear anything bad said about their "babies".  You gotta love developers, they are such lonely people, working hard on their computers all in a world of their making, designing and creating wonderful products for lame butts like me....

Warning to all visitors to these forums - never get a developer angry at you - the have a very long memory, and tons of RAM to store it in!!!

:laugh: :D ;)

Rootkit Installed

Posted: Fri Jul 14, 2006 3:58 pm
by donaldwheaton
I have a website that was defaced through the security hole in the ExtCalendar component and previously with RSGallery.  In both defacements, not only did the home page get replaced, but the hacker installed a rootkit.  My other security measures limited the rootkit's usefulness, but standard installations would be compromised and most likely be relays for spam or slaves for a DDOS attack.  If you have been hacked, or even before you have been hacked, and you're running a *NIX system, I would recommend to install and run a rootkit scanner like chkrootkit or rkhunter and a log analysis program like logwatch.  Here are their web site addresses:
http://www.chkrootkit.org/
http://www.rootkit.nl/
http://www.logwatch.org/

Re: Rootkit Installed

Posted: Fri Jul 14, 2006 4:00 pm
by RobinH
donaldwheaton wrote: I have a website that was defaced through the security hole in the ExtCalendar component and previously with RSGallery.  In both defacements, not only did the home page get replaced, but the hacker installed a rootkit.  My other security measures limited the rootkit's usefulness, but standard installations would be compromised and most likely be relays for spam or slaves for a DDOS attack.  If you have been hacked, or even before you have been hacked, and you're running a *NIX system, I would recommend to install and run a rootkit scanner like chkrootkit or rkhunter and a log analysis program like logwatch.  Here are their web site addresses:
Please pardon my ignorance (well, why should you?  My wife doesn't). What is a *NIX system???

Re: Rootkit Installed

Posted: Fri Jul 14, 2006 4:02 pm
by PhilTaylor-Prazgod
donaldwheaton wrote: I have a website that was defaced through the security hole in the ExtCalendar component and previously with RSGallery.  In both defacements, not only did the home page get replaced, but the hacker installed a rootkit.  My other security measures limited the rootkit's usefulness, but standard installations would be compromised and most likely be relays for spam or slaves for a DDOS attack.  If you have been hacked, or even before you have been hacked, and you're running a *NIX system, I would recommend to install and run a rootkit scanner like chkrootkit or rkhunter and a log analysis program like logwatch.  Here are their web site addresses:
http://www.chkrootkit.org/
http://www.rootkit.nl/
http://www.logwatch.org/

For clarification:
You can only run these tools if you have ssh/telnet access to your server and correct permissions and priviledges to do so.  Most normal web hosting accounts will not have this level of access to the servers operating system and scanning for rootkits should only be done by those with full access and permission to the OS files. (After all if you run a rootkit check and find a problem you need the experience or knowledge to know what to do next :-) )

For the regular Joomla user the use of rootkit scanning would not apply.

A *nix ssystem is one based on UNIX or Linux code (redhat, centos, etc...)

Re: ExtCalendar

Posted: Fri Jul 14, 2006 4:04 pm
by leolam
RobinH wrote: Warning to all visitors to these forums - never get a developer angry at you - the have a very long memory, and tons of RAM to store it in!!!
:laugh: :D ;)
Hack their memory and remove
// no direct access
defined( '_VALID_MOS' ) or die( 'Restricted access' );
from what they consider to be a brain :)

cheers
Leo

Re: Rootkit Installed

Posted: Fri Jul 14, 2006 4:10 pm
by RobinH
PhilTaylor-Prazgod wrote: For clarification:
You can only run these tools if you have ssh/telnet access to your server and correct permissions and priviledges to do so.  Most normal web hosting accounts will not have this level of access to the servers operating system and scanning for rootkits should only be done by those with full access and permission to the OS files. (After all if you run a rootkit check and find a problem you need the experience or knowledge to know what to do next :-) )

For the regular Joomla user the use of rootkit scanning would not apply.

A *nix ssystem is one based on UNIX or Linux code (redhat, centos, etc...)
Thanks, appreciate the info.  I'm on VPS with full admin authority on the server, running Centos.  Will go investigate that rootkit scanner.

Re: ExtCalendar

Posted: Fri Jul 14, 2006 4:10 pm
by Buster
Any news on any re-releases?

Re: ExtCalendar

Posted: Fri Jul 14, 2006 4:14 pm
by RobinH
Buster wrote: Any news on any re-releases?
Coming soon to a theater near you!!!

Re: ExtCalendar

Posted: Fri Jul 14, 2006 4:16 pm
by Buster
That's strange, the last e-mail I got from the developer it was a HE not SHE and his name is David.  Has he had surgery? :)