next »

[Scott]

I have checked the script for other potential security vulnerabilities, and I can find none. In the 4 years or so that this script has been available, this is the only security bug that has been found, and this only recently.

No software is exempt from the risk of security vulnerabilities, as can be seen in regular reports on browsers, operating systems, etc. The important thing is that software authors take immediate action when a bug is found and get the fix to as many users as possible. I've done this to the best of my ability. Even so far as manually contacting a huge number of sites using the script to notify them of the vulnerability and the fix that has been available for 6 months. _MOST_ of those sites which I've contacted and helped patch have not even paid for the script which they are actively using!  

The choice to use CS or another calendar is yours, of course.

------------------
Scott
CalendarScript.com

[gnahc79]

Our website got hacked recently, I had CS 3.2 installed and just updated it to 3.21 today.  Someone uploaded index.html to the root directory, our index.htm was keep intact though.  The damage was very minimal, I deleted the hacker's file, changed all of the passwords and updated CS.

sorry about that...no log

[This message has been edited by gnahc79 (edited August 09, 2004).]

[DanO]

** Here is the log: **

As I have stated previously in the forum, it is probably NOT a good idea to post the code used to exploit previous CalendarScript versions' vulnerabilities. If you return, please edit your message to remove it.

JMO

Dan O.

------------------

[cake viking]

I've just uploaded a test version of CalendarScript and like it best of all such scripts I've tried so far. I'll be ready to pay if I can just figure out how to get it to use the utf-8 charset. But this worries me. Would it be more secure to create a subdomain such as calendar.mysite.com so that the files were isolated from my main site? My host doesn't allow shell access or Cronjobs.  Would this also insulate me somewhat?

thanks.

[DanO]

** Would it be more secure to create a subdomain such as calendar.mysite.com  **

I don't know (but doubt) if that would make it any more secure and in such a case you may have to pay a separate registration free for each of those subdomains it is installed on but check with Matt (CalendarScript's author) directly if you decide to go that route.

For your other inquiry (which has nothing to do with security), it would probably be best if you posted a separate message about that in the most appropriate forum like maybe the customization forum?

JMO

Dan O.

[This message has been edited by DanO (edited August 12, 2004).]

[Shelley]

Hi,

I just got hacked yesterday. My fault, though because I thought I had 3.2.1 but in reality only have 3.2. You know how it is, you never think it'll happen to you.

So my question is, should I download the full 3.2.1 and start over? The past calendar data is not critical to me.

Should I completely change all my passwords and usernames on the calendar? Right now, it's disabled. Also, are 777 permissions a problem? Should I move the calendarscript directory to another location as suggested in the Security notes section of this site?

If it's better to use the 3.2.1 upgrades to 3.2, I'm not sure how to use these. If someone could walk me through how and where to put the patches to 3.2 that would be great.

Oops! Never mind, I just read the 3.2.1 upgrade notes on the Download page. It seems pretty clear.

And, do I need to pay some more to do this? I am happy to do this since I think the calendar is great.

Also, my host server sent me the logs detailing the hack. Should I send them to someone at CalaendarScript fyi?

Thanks for any info.

Shelley
------------------

[This message has been edited by Shelley (edited August 13, 2004).]

[DanO]

** should I download the full 3.2.1 and start over? The past calendar data is not critical to me. **

The last time I looked, the upgrade package was missing a couple of files needed to complete a fully functioning upgrade (see Template File Does Not Exist and the message linked from there). If you don't mind loosing calendar data (events and user info) and the settings you have set (colours, etc.), going with a complete install of version 3.21 may be simplest.

** Should I completely change all my passwords and usernames on the calendar? **

Those don't matter and will be reset automatically if you do a complete installation.

** Also, are 777 permissions a problem? **

Not usually but they aren't really needed either. Script files and their directories only usually need permissions of 755 (or 775 depending on the server set up) and the data files and directories 666 (or 766 depending...) but check your host's CGI FAQs for what is acceptable on their server.

On all the installs I've done I just FTP'd the files to the server and chmod the calendar.pl and calendar_admin.pl files (and debug.pl if you use it) to 755. The rest of the files worked with the permissions set for them by the server during upload.

** my host server sent me the logs detailing the hack. Should I send them to someone at CalaendarScript fyi? **

You could email them to Matt (CalendarScript's author) but I'm fairly certain he knows what transpired.

JMO

Dan O.

[This message has been edited by DanO (edited August 13, 2004).]

[Shelley]

Thanks so much Dan.

I'll do a clean install since I'm tweaking everything on this calendar already.

Do you think I need to locate the calendarscript directory elsewhere and change the BASE DIRECTORY path?

Shelley

------------------

[DanO]

** Do you think I need to locate the calendarscript directory elsewhere **

I don't think that will help anything.

JMO

Dan O.

------------------

[KM]

Make sure to check for any files (CGIs) which may have been uplaoded as a back door. Today we found another rouge ircd running. After tracking down through backup logs I found a script which was used to upload. So, during the first round before the upgrade someone left a back door.

[Matt]

I found a file called Raven.c in my calendarscript directory. I delated it and returned about an hour later and the file was replaced. The thing pumps out about 8000 messages and I have no clue how they are uploading the file.

I do have the 3.21 patch installed

[Matt]

So has anybody else who are reporting being hacked found any of the following files:

Raven.c or raven.c
debuge.cge or Debuge.cgi
ssi.txt or SSI.txt

Matt

[Daves-not-here...]

My site was hacked at appears last week, deleting the main script and installing index files.
I was using 3.2... just upgraded to 3.21
It was done by a popular hacker group.

Another person/group or the same people leaving another signature on my main index file .   Activity was same day.

[Oliver]

I'm pretty sure my site got hacked through the old version. Of course I was on vacation when it started...
Once I came back, the entire site was gone, every single file was deleted. Unfortunately the log file was no longer availalbe as my host doesn't keep it around after month's end.
Shortly after getting the site up again somebody installed a folder they called login, in which there was a login.html and login.pl. And when I looked at that file, it was a login screen for paypal. Seems like somebody put that there trying to gather credit card numbers. I moved them and renamed them, set permisson to 0 since I thought paypal might want to see them, but they never got back to me.

I now have the new version which mostly works just fine.

Oliver

------------------

[Brainwrap]

I've had the "Unreal IRC" hack happen to one of my clients 3 times in the last 2 months--and I am *definitely* using version 3.21.

It's the same thing every time--the following files are installed:

calendarscript > config > unrealircd.conf
calendarscript > config > config.settings
calendarscript > config > config.log
calendarscript > config > config.status
calendarscript > config > extras (directory w/other files inside)
calendarscript > config > include (directory w/other files inside)
calendarscript > config > ircdcron (directory w/other files inside)
calendarscript > config > Makefile
calendarscript > config > unreal
calendarscript > config > src (directory w/other files inside)
calendarscript > config > tmp
calendarscript > config > tmp/B2721411.commands.so
calendarscript > config > ircd.pid
calendarscript > config > ircd.tune
calendarscript > config > ircd.log

calendarscript > lib > DBFile.pm (file was already there, but something was changed in it, not sure what)

Unfortunately, my hosting company has shut down CalendarScript on this particular domain name (it's a shared server; they can't risk the other clients being hit through this exploit, and it's the 3rd time it's happened), but I can forward the entire directory (including the exploit-added files) to you if this helps.

Please advise--I use your script (licensed) on several sites; so far, fortunately, only the one has been compromised, but I'd hate to have to abandon CalendarScript in the future because of this issue!

------------------