There was an important security fix in 1.0.1. Please upgrade asap. If you only want the security fix, edit includes/functions.php and go to the $noSet array at line 61. Insert the following into the array:
"includedir" => 1,
This is very important. There have been multiple reports of websites getting defaced.
-- Jeff
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
There are no database changes; you just need to update the files. So, make a backup of all your files first... Then, you can just unzip the new 1.0.1 zip file on top of the old 1.0.0 files.
-- Craig
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
What were the actual "symptoms" of a breach of this security? We recently had a few problems, and I applied the fix (not update yet) to our existing 1.0.0 install.
Thanks.
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
As far as strangeness to look for -
I noticed a problem when I had something like a dozen errant perl process running using large amounts of CPU time. Also look for instances of sh. Some other binaries I saw that weren't perl scripts were the usual - r0nin, pwn3d, uselib23. Look for binaries and perl scripts in well known public areas: /tmp, /var//tmp etc. Plus all the standard precautions if you think theres a maliciuos nonroot user.
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
I added that online of code to the array, but i got the following error:
Parse error: parse error, unexpected T_STRING, expecting ';' in /nfs/disk/data/www/virtual/extension/washington/calendar_new1/includes/functions.php on line 2129
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
The fix in the first post mentioned above doesnt seem to work. I have version 1.0RC2. I added ""includedir" => 1,", but my array was around line 28, not 61. Threw a bunch of errors.....
Warning: Unexpected character in input: '\' (ASCII=92) state=1 in /home/domain/public_html/calendar/includes/functions.php on line 457
Parse error: parse error, unexpected T_CONSTANT_ENCAPSED_STRING, expecting ',' or ';' in /home/domain/public_html/calendar/includes/functions.php on line 457
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
I just installed version 0.9.44 that came with my Fantastico auto installer. It works fine. What is the best way to upgrade my install to this latest version?
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
Hi,
I also used the auto installer and. All the events appear correctly,but I can't login to my calendar any more. Any help would be appreciated. I am a newbie . I looked in the administrator guide, but don't know where to insert the recommended code.
Thanks for your help.
Walt
waltl@copper.net
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
There was an important security fix in 1.0.1. Please upgrade asap. If you only want the security fix, edit includes/functions.php and go to the $noSet array at line 61. Insert the following into the array:
"includedir" => 1,
This is very important. There have been multiple reports of websites getting defaced.
-- Jeff
Is there a patch or upgrade insructions for going from 1.0.0 to 1.0.1?
There are no database changes; you just need to update the files. So, make a backup of all your files first... Then, you can just unzip the new 1.0.1 zip file on top of the old 1.0.0 files.
-- Craig
Actualy, that doesn't work for those of us who have modded 1.0.0. Is there an upgrade script (if not, no big deal, I'll just run a comparison program)
Anybody who has updated from 1.0.0 please post the changes done. This will be very helpful.
Thanks a million
Naveen
Just read my original post at the top of this thread if you want to manually apply the patch.
-- Jeff
Why is this not highlighted as a security upgrade on the main webcalendar page? I added it to the wiki....
What were the actual "symptoms" of a breach of this security? We recently had a few problems, and I applied the fix (not update yet) to our existing 1.0.0 install.
Thanks.
Anyone? We recently had problems, and I would like to know if this was it, or I should look elsewhere. Thank you.
Look at your server logs for send_reminders.php?include_dir=
This text will be in the hackers URL
-Ray
As far as strangeness to look for -
I noticed a problem when I had something like a dozen errant perl process running using large amounts of CPU time. Also look for instances of sh. Some other binaries I saw that weren't perl scripts were the usual - r0nin, pwn3d, uselib23. Look for binaries and perl scripts in well known public areas: /tmp, /var//tmp etc. Plus all the standard precautions if you think theres a maliciuos nonroot user.
That seems like easy enough. I have already updated my functions.php with the one line code change.
Hope that should fix the problem without doing anything else.
I added that online of code to the array, but i got the following error:
Parse error: parse error, unexpected T_STRING, expecting ';' in /nfs/disk/data/www/virtual/extension/washington/calendar_new1/includes/functions.php on line 2129
I am currently using 0.9.45 and I would like to upgrade to 1.0.1. Are there any database changes?
Yes. See the file upgrading.html when you download the program.
Turn off globals
My website was breached!.. I have several website hosted using addon domains, these websites were defaced by hackers.
Upon inspecting my access log, I see a lot of URL like /calendar/tools/send_reminders.php?includedir=
I have updated my calendar to var 1.01, what else should I do know?
The fix in the first post mentioned above doesnt seem to work. I have version 1.0RC2. I added ""includedir" => 1,", but my array was around line 28, not 61. Threw a bunch of errors.....
Warning: Unexpected character in input: '\' (ASCII=92) state=1 in /home/domain/public_html/calendar/includes/functions.php on line 457
Parse error: parse error, unexpected T_CONSTANT_ENCAPSED_STRING, expecting ',' or ';' in /home/domain/public_html/calendar/includes/functions.php on line 457
I don't think you're in the right spot. I'm using 1.0.1 and the array is definitely on line 61.
Why not upgrade to 1.0.1? It shouldn't be difficult from the 1.0RC2 version.
I was worried that my settings and mods (mostly layout and colors) would change when upgrading.
Will they?
the layout and colours wont change. it is saved in the database. u r not changing the database, are you?
I have no idea....upgrading through fantasico...so I click a button and its upgraded so I have no idea what would be done.
You should be able to run a backup of everything from the site control panel. Then, if the upgrade does mess it up, you could restore the DB.
Bruce
I just installed version 0.9.44 that came with my Fantastico auto installer. It works fine. What is the best way to upgrade my install to this latest version?
Hi,
I also used the auto installer and. All the events appear correctly,but I can't login to my calendar any more. Any help would be appreciated. I am a newbie . I looked in the administrator guide, but don't know where to insert the recommended code.
Thanks for your help.
Walt
waltl@copper.net