Demo Discussion
Forum Config Examples Contributions Vulnerabilities
  Discussion forum about ELOG  Not logged in ELOG logo
icon4.gif   elog submit without user and password, posted by H. Scheit on Mon Jul 8 19:42:13 2002 
    icon2.gif   Re: elog submit without user and password, posted by Stefan Ritt on Tue Jul 9 10:58:18 2002 
       icon2.gif   Re: elog submit without user and password, posted by H. Scheit on Tue Jul 9 15:28:33 2002 
          icon2.gif   Re: elog submit without user and password, posted by Stefan Ritt on Wed Jul 10 08:53:21 2002 
Message ID: 63     Entry time: Tue Jul 9 10:58:18 2002     In reply to: 57     Reply to this: 64
Icon: Reply  Author: Stefan Ritt  Author Email: stefan.ritt@psi.ch 
Category: Comment  OS:   ELOG Version:  
Subject: Re: elog submit without user and password 
> With elog it is possible to submit messages to a password protected
> logbook without specifying the -u option.  I.e. NO PASSWORD is
> necessary to submit a message.  I assume it is related to the problem
> of expiring password-cookies while entering the message using a web
> browser.

Indeed this problem is related to the expiring password cookies. As a 
reminder: For the submission of a new entry, the password is checked when one 
presses the "New" button, but NOT for the "submit". This is because a 
password can expire between the "New" and the "Submit", so a entered message 
could not be sent. The question is now what to do with the standalone "elog".

Right now, elog does a normal submission where the password is not checked, 
which is maybe not what one wants. But what to do? If elog sends a special 
flag "please do check password on submit", someone could analyze the source 
code, remove the flag from elog and then still submit messages without a 
password. If I put an additional flag to the web browser submission "please 
do not check the password since the cookie might have been expired", someone 
can add this flag into elog and still bypass the password checking.

Anothe thing which bothers me is if you specify the password explicitly on 
the command line of elog, it's visible in some scripts etc, which yould be a 
security issue as well.

Any ideas?
ELOG V3.1.4-80633ba