ExtCalendar 2 / Bugs / #41 Critical Security Problem

#41 Critical Security Problem

Status: open

Owner: nobody

Labels: None

Priority: 5

Updated: 2007-06-14

Created: 2007-06-14

Creator: Anonymous

Private: No

The following link from the French CERTA government center about SECURITY explains that ExtCalendar
must be uninstalled by all users because of a critical security threat :

http://www.certa.ssi.gouv.fr/site/CERTA-2006-ALE-008/

I think you should immediately address this matter which is critical : the problem is already posted in french language sites about Joomla and extcalendar, with recommendation NOT to install the component.

//--------------------------------------

1 Risque : Exécution de code arbitraire à distance.

2 Systèmes affectés : Les versions d'ExtCalendar antérieures ou égales à 2.0.

3 Description : ExtCalendar est une application permettant de gérer un calendrier. Elle se présente comme un composant, qui peut être installé en association avec des CMS (pour Content Management Systems) de type Joomla! ou Mambo. Une vulnérabilité a été identifiée dans celle-ci. Elle ne vérifie pas correctement la variable
mosConfig_absolute_path. Un utilisateur malveillant peut profiter de cette propriété pour injecter du code arbitraire à distance.

Cette vulnérabilité est actuellement exploitée.

4 Contournement provisoire : Il est fortement recommandé, dans l'attente d'un correctif, de :
* désinstaller le composant ExtCalendar dans la mesure du possible
* désactiver les options PHP suivantes register_globals et allow_fopenurl dans le fichier php.ini.

//--------------------------------------------

Discussion

Nobody/Anonymous - 2007-09-11

Logged In: NO

while I wish this was in english... its true... extcal just sent out 47,000 emails from my site

If you would like to refer to this comment somewhere else in this project, copy and paste the following link:

Nobody/Anonymous - 2008-02-06

Logged In: NO

A direct and not exact translation from Frensh to English..

1 Risk: Arbitrary execution of code remotely.

2 affected Systems: Former or equal versions of ExtCalendar
to 2.0.

3 Description: ExtCalendar is an application making it possible to manage one
calendar. It is presented in the form of a component, which can be installed
in partnership with CMS (for Content Systems Management) of type
Joomla! or Mambo. A vulnerability was identified in this one.
It does not check the variable correctly
mosConfig_absolute_path. A malevolent user can benefit from this
property to inject arbitrary code remotely.

This vulnerability is currently exploited.

4 provisional Skirting: It is strongly recommended, in waiting
of a corrective measure, of:
* désinstaller the ExtCalendar component as far as possible
* to decontaminate following options PHP register_globals and
allow_fopenurl in the file php.ini.

If you would like to refer to this comment somewhere else in this project, copy and paste the following link:

Nobody/Anonymous - 2008-08-10

Logged In: NO

looks like this post has been sitting here since June and has not been addressed by extcal associates.

Plenty enough reason for me not to install it.

Thanks for posting.

If you would like to refer to this comment somewhere else in this project, copy and paste the following link:

Critical Security Problem

Group

Searches

Help

#41 Critical Security Problem

Discussion