[UPGRADE AVAIL.] ExtCalendar Vulnerability

[leolam]

just changed file permissions to 000 and it has taken down the whole site...please help me asap.

emma you have a pm from me!
cheers
Leo

[leolam]

WARNING
the module mod_extcalendar_latest[/b] is NOT SECURE!

UNINSTALL THIS MODULE IMMEDIATELY!

do not only unpublish but UNINSTALL!

this module misses also "Access is not allowed etc!"

Uninstall and delete the three files!

Leo

[emma]

Thank you and to Leo...

Calendar is now completely off and site is back up....although i am hoping all of the calendar information is backed up...

Can anyone suggest a similar calendar for the site that doesnt have security issues?

Kindest Regards, Emma 

[gws]

Hi Emma, there is a lot of work going on to make extcalendar safe, you should see a new version available this week.

[Elpie]

Emma, and others, the final work on the ExtCalendar update is in progress as I write. The new version will be out soon and I think you will be very happy with it. A few bugs have been fixed and it is as secure as possible. Just finalising everything now and an announcement will be made as soon as we release it.

[mom2nine]

Thanks so much for taking on this project.  Losing that calendar component was a tough thing for many of us because it was such a great add-on and worked so well.

[lib99]

WARNING
the module mod_extcalendar_latest[/b] is NOT SECURE!

First, I'd like to offer a big thank you to those who voluntarily stepped up to fix the security issues recently discovered with this extension.  Ironically, I was just going to ask if the related modules are part of the planned security fix release or not (in addition to the component)?  I don't recall reading that as of yet.  Also, just curious...has the extcal download been unpublished from extensions.joomla.org?  I haven't seen it there, and I know I grabbed it last month. 

[Elpie]

We have patched the MiniCal module, written a removal tool, and done a whole heap of work on the ExtCalendar component.

As far as I am aware, all extensions that have known vulnerabilities with exploits in the wild have been unpublished from the Extensions site. Where an extension is known to have a problem its not a good idea to leave it there for unsuspecting users to download eh?

Edit: Just thought I would add - just because an extension is listed on the Extensions site does NOT mean it is necessarily safe. Reports of exploits are coming through faster than anyone can keep up, so it is clear that as the hackers work through 3rd party extensions more vulnerabilities will come to light.  A good list of confirmed vulnerabilities is here: http://forum.mamboguru.com/forumdisplay.php?f=63
(It's essentially an announcement list, so you can see at a glance what extensions are known to have problems - and every one of them listed has exploits in the wild).

[lib99]

Yes, I figured as much about unpublishing from the extension downloads, but I'm not familiar enough with Joomla Admin's protocols for these types of scenarios.  Certainly logical and appropriate.  Thanks for the reply, and thank you again to yourself and the others working on this!!

[torkil]

On a sidenote and about the MiniCal module: Last time I checked it did DB queries in a loop, like this:

for (each day in month) {
    query for events();
}

This should really be patched to increase it's performance, if that hasn't already been done.

[Elpie]

ExtCalendar Security Release (0.9.2)

This is a security release for ExtCalendar taken from the 0.9.1 drop. This should work on both Joomla! and Mambo.
DO NOT Uninstall the ExtCalendar component unless you have a backup of your data or are willing to lose all your events. The previous ExtCalendar uninstall removes its data tables.

Steps to upgrade:
1.      Backup your site, including your database. Mamboguru.com has detailed instructions for backing up and restoring db with phpMyAdmin at http://wiki.mamboguru.com/index.php?tit ... e_database
2.      Log in as an admin
3.      Install the com_ExtCalendarRemoval-RC1.zip component (this removes ExtCalendar without deleting the data). If it reports any errors, please delete those directories using an FTP client or a file manager.
4.      Uninstall the ExtCalendarRemoval component.
5.      Install the new com_extcalendar_0_9_2_RC4.zip.

Removal Component here: http://mamboguru.com/downloads/ExtCalen ... al-RC1.zip

New ExtCalendar upgrade here: http://mamboguru.com/downloads/ExtCalen ... _2_RC4.zip

Security Update for MiniCal here: http://mamboguru.com/downloads/ExtCalen ... _3_RC2.zip

If you experience any problems with downloading or using this security release, please contact us through the Mambo Guru forums. This update applies to both Mambo and Joomla and we just cannot keep an eye on all the forums individually.

[Elpie]

O/T kinda

I just want to say a BIG THANK YOU! to everyone who came forward to test these new releases of ExtCalendar. I also want to publicly thank davidrrm without whom these releases would not have happened, and counterpoint for his contributions.  When I had the bright idea to do this, I had no idea how much work was going to end up going into it. This has been a collaborative effort involving many people from both Joomla and Mambo, for the benefit of the wider communities of users. This security release really shows the power and spirit of open source and I am grateful to all of you who allowed me to talk you into coming on board - thanks.

[leolam]

I just concur to say a BIG THANK YOU!


just one for the road........status mod_extcalendar_latest? 

cheers ...You are ALL Wonderful people!

Leo

[Elpie]

just one for the road........status mod_extcalendar_latest? 

No, we didn't touch the latestevents module. It requires a major overhaul, far more than a security release. There are some good things planned for the project as a whole so the future may bring what you are looking for.

For now, I recommend that people do not use the module.

[boardmoose]

THANK YOU!! 

[Ottobufonto]

Thanks Elpie and all!!!!

any chance for a list of bug fixes? (you mentioned you addressed some)

[sc00zy]

Thanks everybody!

[LeonZ]

Thanks for the hard work. 
Little problem, dutch language file included doesn't work at all. Attached a working version for dutch.

[LeonZ]

Hi all,

I just stumbled into another problem. I am using the minical-module on the frontpage. When I click on a date in the minical the page which comes up tells me I don't have rights to view and have to login first.

On the other hand, when I click the menu-item for my calendar and the calendar is showing I can click in the minical without getting the notice. In other words minical works when viewing the calendar but without the calendar it is not.

URL = whiskypassion

[charlie]

Huge thank you to all involved with this upgraded version. Thanks for the hard work.

Charles (Johannesburg, South Africa).

[Elpie]

Thanks for the hard work. 
Little problem, dutch language file included doesn't work at all. Attached a working version for dutch.

Thanks LeonZ. We will add this at the first opportunity.

[RobinH]

Hi all,

I just stumbled into another problem. I am using the minical-module on the frontpage. When I click on a date in the minical the page which comes up tells me I don't have rights to view and have to login first.

On the other hand, when I click the menu-item for my calendar and the calendar is showing I can click in the minical without getting the notice. In other words minical works when viewing the calendar but without the calendar it is not.

URL = whiskypassion

Hey Elpie, I'm an idiot, all my testing was done logged in, should have caught that.  Guess we need to pass that on to David.  Next testing I'll add in steps for registered, guest, and special groups to insure all functionality....my bad....

[davidrrm]

Hi all,

I just stumbled into another problem. I am using the minical-module on the frontpage. When I click on a date in the minical the page which comes up tells me I don't have rights to view and have to login first.

On the other hand, when I click the menu-item for my calendar and the calendar is showing I can click in the minical without getting the notice. In other words minical works when viewing the calendar but without the calendar it is not.

URL = whiskypassion

I believe you have com_extcalendar published in two differnent menu items (perhaps on different menus). One with public access and one with Registered or Special access. The access rights are completely controlled by Joomla. When you click on the mini_cal on the front page, it does not have an Itemid for a menu item, so Joomla has to look through your menus to "guess" what access should be given. When you click on the menu item, it knows which Itemid to use, and can assign the right access permissions.
I tested this on your site by adding &Itemid=43 (the item id for your calendar menu item) to the URL for the mini_cal from the front page and was able to jump to the event.

david

[wuslon]

what a great job.

thank you so much!


the upgrade worked with no problems. (sorry, about my very bad written english please!)

one question: whats about the  Search ExtCal Calendar 1.1 mambot? is this mambot secure ore it`s better to uninstall like the mod_extcalendar_latest?


wuslon

[emma]

Thanks Everyone for your help yesterday - you were fantastic.

Kindest Rgds, Emma 

[RobinH]

David, I just ran through it on my test site as Guest, and you are correct.  I have the calendar set for public and had no problems accessing it. I tried to emulate the problem he's listed above but have been unable.

I tried changing the component to "registered" required for new entry or edit, and the calendar displays fine and acts appropriately in that only registered can enter new events.  I changed the module to "registered" and it does not display to the public.  So I've tried mixing it up with one being public and the other registered but couldn't get that fault.

Is it possible he's running mod_latest??

EDIT - David, you're right.  I added in a menu item for calendar and marked registered, so now I have one menu item public, the other registered.  When I click on the minical, I get the error he has listed above.

[p3rti]

Hi.

First i want to say. THANK YOU That what i love the free software (Free of Freedom), right now, i want to test this component with the module minical of extcalendar. i installed the last version  and when i logged with admin on the front end and when i put an event like admin it say that wait to the admin admit, i receive a email from the software with the description and a link, and when i click on the link (and i logged with admin account) it say "Your user level is merely Anonymous Guest, and it must be at least Administrator." and its very wear. i dont see any button that say edit or sometime like that, i want to know if i have to make a hack to the code or sometime like that.

thanks a lot. this make feel all around the free software so happy!!

[RobinH]

Hi.

First i want to say. THANK YOU That what i love the free software (Free of Freedom), right now, i want to test this component with the module minical of extcalendar. i installed the last version  and when i logged with admin on the front end and when i put an event like admin it say that wait to the admin admit, i receive a email from the software with the description and a link, and when i click on the link (and i logged with admin account) it say "Your user level is merely Anonymous Guest, and it must be at least Administrator." and its very wear. i dont see any button that say edit or sometime like that, i want to know if i have to make a hack to the code or sometime like that.

thanks a lot. this make feel all around the free software so happy!!

Log out and log back in, assuming your user level is Admin.  The click on the minical, you should have displayed the calendar and near the top an box for events to approve.  Shouldn't require any hack.  If you notice the link in the email states that you must be logged in with administrative authority to approve.  Most of the time that link takes you in as Guest, so you have to log in to do the approval.  Try that and see if it works.

[metatech]

Thank you so very much for this contribution. You've saved my bacon!

ExtCalendar Security Release (0.9.2)

[RobinH]

Hi all,

I just stumbled into another problem. I am using the minical-module on the frontpage. When I click on a date in the minical the page which comes up tells me I don't have rights to view and have to login first.

On the other hand, when I click the menu-item for my calendar and the calendar is showing I can click in the minical without getting the notice. In other words minical works when viewing the calendar but without the calendar it is not.

URL = whiskypassion

Whew!  Leon, I was able to emulate this problem, then couldn't get rid of it!!!  Thanks to David for saving my bacon.  Here's what I had, and you see if you can follow this logic (it might be illogic . . lol) and maybe be able to come to a conclusion on your issue.

First, after proofing extcal and minical, I added a menu item for a component under usermenu for Calendar.  I first had that as a public function, and my minical and this usercal both worked fine.  Then I made the usercal a registered access item, and blammo... I get the error you indicated above.  So, thinks I, I'll delete that menu item and all will be well... NOT... I deleted it, but didn't reset it to public first.  I kept getting this error even though it was deleted.  So i uninstalled and reinstalled both the component and the module. Was near to pulling out my hair when David chimed in with his valuable comment:  "Did you empty your trash?".... NO WAY, it can't be that easy???

Well, went back into admin, home, trash, menu items, and deleted them (of which there were several) and now all is good.  Egads I'm glad David's around!!!!!!

Hope this works for you!

Message from your old Uncle Robin - remember boys and girls, to empty your trash when you're through!!!