Menu

Security Fix in 1.0.1

Jeff H
2005-08-26
2013-01-15
1 2 > >> (Page 1 of 2)
  • Jeff H

    Jeff H - 2005-08-26

    There was an important security fix in 1.0.1.  Please upgrade asap.  If you only want the security fix, edit includes/functions.php and go to the $noSet array at line 61.  Insert the following into the array:

    "includedir" => 1,

    This is very important.  There have been multiple reports of websites getting defaced.

    -- Jeff

     
    • asinsh

      asinsh - 2005-08-26

      Is there a patch or upgrade insructions for going from 1.0.0 to 1.0.1?

       
    • Craig Knudsen

      Craig Knudsen - 2005-08-26

      There are no database changes; you just need to update the files.  So, make a backup of all your files first...  Then, you can just unzip the new 1.0.1 zip file on top of the old 1.0.0 files.

      -- Craig

       
      • asinsh

        asinsh - 2005-08-26

        Actualy, that doesn't work for those of us who have modded 1.0.0.  Is there an upgrade script (if not, no big deal, I'll just run a comparison program)

         
    • Nobody/Anonymous

      Anybody who has updated from 1.0.0 please post the changes done. This will be very helpful.

      Thanks a million
      Naveen

       
      • Jeff H

        Jeff H - 2005-09-06

        Just read my original post at the top of this thread if you want to manually apply the patch.

        -- Jeff

         
    • Nobody/Anonymous

      Why is this not highlighted as a security upgrade on the main webcalendar page?  I added it to the wiki....

       
    • Nobody/Anonymous

      What were the actual "symptoms" of a breach of this security? We recently had a few problems, and I applied the fix (not update yet) to our existing 1.0.0 install.

      Thanks.

       
    • Nobody/Anonymous

      Anyone? We recently had problems, and I would like to know if this was it, or I should look elsewhere. Thank you.

       
    • Ray Jones

      Ray Jones - 2005-09-15

      Look at your server logs for send_reminders.php?include_dir=

      This text will be in the hackers URL

      -Ray

       
    • Nobody/Anonymous

      As far as strangeness to look for -
      I noticed a problem when I had something like a dozen errant perl process running using large amounts of CPU time. Also look for instances of sh. Some other binaries I saw that weren't perl scripts were the usual - r0nin, pwn3d, uselib23. Look for binaries and perl scripts in well known public areas: /tmp, /var//tmp etc. Plus all the standard precautions if you think theres a maliciuos nonroot user.

       
    • Nobody/Anonymous

      That seems like easy enough. I have already updated my functions.php with the one line code change.

      Hope that should fix the problem without doing anything else.

       
    • Nobody/Anonymous

      I added that online of code to the array, but i got the following error:

      Parse error: parse error, unexpected T_STRING, expecting ';' in /nfs/disk/data/www/virtual/extension/washington/calendar_new1/includes/functions.php on line 2129

       
    • Nobody/Anonymous

      I am currently using 0.9.45 and I would like to upgrade to 1.0.1.  Are there any database changes? 

       
      • Nobody/Anonymous

        Yes. See the file upgrading.html when you download the program.

         
    • Nobody/Anonymous

      Turn off globals

       
    • Nobody/Anonymous

      My website was breached!.. I have several website hosted using addon domains, these websites were defaced by hackers.

      Upon inspecting my access log, I see a lot of URL like /calendar/tools/send_reminders.php?includedir=

      I have updated my calendar to var 1.01, what else should I do know?

       
    • Nobody/Anonymous

      The fix in the first post mentioned above doesnt seem to work. I have version 1.0RC2. I added ""includedir" => 1,", but my array was around line 28, not 61. Threw a bunch of errors.....

      Warning: Unexpected character in input: '\' (ASCII=92) state=1 in /home/domain/public_html/calendar/includes/functions.php on line 457

      Parse error: parse error, unexpected T_CONSTANT_ENCAPSED_STRING, expecting ',' or ';' in /home/domain/public_html/calendar/includes/functions.php on line 457

       
    • Nobody/Anonymous

      I don't think you're in the right spot.  I'm using 1.0.1 and the array is definitely on line 61.

      Why not upgrade to 1.0.1?  It shouldn't be difficult from the 1.0RC2 version.

       
    • Nobody/Anonymous

      I was worried that my settings and mods (mostly layout and colors) would change when upgrading.

      Will they?

       
    • Nobody/Anonymous

      the layout and colours wont change. it is saved in the database. u r not changing the database, are you?

       
    • Nobody/Anonymous

      I have no idea....upgrading through fantasico...so I click a button and its upgraded so I have no idea what would be done.

       
      • Bruce

        Bruce - 2005-10-23

        You should be able to run a backup of everything from the site control panel. Then, if the upgrade does mess it up, you could restore the DB.

        Bruce

         
    • Nobody/Anonymous

      I just installed version 0.9.44 that came with my Fantastico auto installer. It works fine. What is the best way to upgrade my install to this latest version?

       
    • walter

      walter - 2005-11-10

      Hi,
      I also used the auto installer and. All the events appear correctly,but  I can't login to my calendar any more. Any help would be appreciated. I am a newbie . I looked in the administrator guide, but don't know where to insert the recommended code.
      Thanks for your help.
      Walt
      waltl@copper.net

       
1 2 > >> (Page 1 of 2)

Log in to post a comment.