A place to post questions and ideas about SuperCali PHP Event Calendar
You are not logged in.
Hi Dana,
SuperCali is a great program for being free to the public, but a vulnerability has been found which allows hackers to get your admin password. Details can be found here:
http://milw0rm.com/exploits/4141
A nice fellow from Turkey found my site by searching for "allintext supercali event calendar", then deleted all my database entries. 
The fix apparently is to sanitize the $o parameter, but unfortunately I'm not savvy enough to do this.
Offline
Crap, I'm sorry about that...
A quick fix is to replace line 108 of includes/start.php from:
if ($_REQUEST["o"]) {
to (corrected)
if (is_numeric($_REQUEST["o"])) {
Thanks,
Dana
Offline
Please note that I had first listed the correction as:
if (is_int($_REQUEST["o"])) {
This will not work, however.
Thanks,
Dana
Offline
Dana, here's my problem...I installed the Calendar on a friends website (a ministry website), and now the month of july has nasty events scheduled. I installed it a while ago:
http://www.mcmafl.com/web-calendar/old-index.php?o=1&c=1&m=07&a=1&y=2007
I followed the advice given above...but will we need to create a new admin username and password? If it's been hacked?
This is a very bad vulnerability. Especially for a ministry website.
I've thought of switching calendars as a result, but if this one can be fixed permanently, I'd rather do that.
Offline
I would certainly change the password. I'm sorry your calendar was hacked.
Thanks,
Dana
Offline
Correct me if I'm wrong...
Since "config.php" has a .php extension, on most if not all servers that file will be downloadable. This file contains the database password and other sensitive information. If it were an .inc extension, servers won't allow it to be downloaded.
It seems to me, that's why this was hacked (or at least one reason).
Last edited by TomatoPi (2007-08-29 12:53 am)
Offline
i've tried to find that line in the file start.php but it's not there?
Offline
> TomatoPi wrote:
> Correct me if I'm wrong...
Since "config.php" has a .php extension, on most if not all servers that file will be downloadable. This file contains the database password and other sensitive information. If it were an .inc extension, servers won't allow it to be downloaded.
It seems to me, that's why this was hacked (or at least one reason).
I'm not sure if this is the case. I think the idea behind having config.php being a .php file is that it will be parsed rather than being downloaded. If it was an .inc extension, I think it would just spit out the code, at least on my server.
Offline
> heaven wrote:
> i've tried to find that line in the file start.php but it's not there?
It might be that you have a later version, which is already fixed.
Thanks,
Dana
Offline
Thanks for taking the time to help, I really apprciate it.
------------------------------------------
[url=http://www.secure-bytes.com/Vulnerability+Scanners.php]Vulnerability Scanners[/url]
Offline
