Demo Discussion
Forum Config Examples Contributions Vulnerabilities
  Discussion forum about ELOG, Page 131 of 807  Not logged in ELOG logo
ID Date Icon Author Author Email Category OS ELOG Version Subjectdown
  69408   Tue Nov 2 12:07:46 2021 Reply Stefan Rittstefan.ritt@psi.chQuestionLinuxelog-3.1.4-2Re: results of security scan

The elgod.c progarm itself is rather weak in SSL, since I just don't have time to catch up with the latest SSL enhancements. The safest you can do is to put an industry-strenth web server like Apache in front of elogd and let that server handle the SSL layer.

Stefan

David Stops wrote:

Recently central IT scanned our elog server and reported the following "vulnerabilities"

  • 42873 (1) - SSL Medium Strength Cipher Suites Supported (SWEET32)
  • 51192 (1) - SSL Certificate Cannot Be Trusted
  • 65821 (1) - SSL RC4 Cipher Suites Supported (Bar Mitzvah)
  • 85582 (1) - Web Application Potentially Vulnerable to Clickjacking

Is there any easy way of preventing these

Thanks and Best Wishes

David

 

  69409   Thu Nov 4 13:48:00 2021 Reply David Stopsdjs@star.sr.bham.ac.ukQuestionLinuxelog-3.1.4-2Re: results of security scan

Thanks, I'll try that and see what happens

 

David

Stefan Ritt wrote:

The elgod.c progarm itself is rather weak in SSL, since I just don't have time to catch up with the latest SSL enhancements. The safest you can do is to put an industry-strenth web server like Apache in front of elogd and let that server handle the SSL layer.

Stefan

David Stops wrote:

Recently central IT scanned our elog server and reported the following "vulnerabilities"

  • 42873 (1) - SSL Medium Strength Cipher Suites Supported (SWEET32)
  • 51192 (1) - SSL Certificate Cannot Be Trusted
  • 65821 (1) - SSL RC4 Cipher Suites Supported (Bar Mitzvah)
  • 85582 (1) - Web Application Potentially Vulnerable to Clickjacking

Is there any easy way of preventing these

Thanks and Best Wishes

David

 

 

  68176   Mon Nov 2 08:41:20 2015 Reply Andreas Luedekeandreas.luedeke@psi.chBug reportAll3.1.1Re: restrict edit time and autosave
Hi Kester,
yes, I did run into the same problem, that I could not even delete old drafts due to our restrict edit time.
We allow anonymous submissions in our operation logbooks. After a while drafts of unsubmitted messages just pile up; and I need to remove them as administrator.
While I can do that easily for anonymous drafts, I cannot do that for drafts of other users: I don't easily see those drafts.
It would be really nice, if drafts would be handled different then other entries regarding "Restrict edit time" as you've suggested.
Cheers, Andreas
Kester Habermann wrote:

Hello,

When using restrict edit time together with autosave, there is the following problem: The counter for restrict edit time seems to start after the autosave. If the time is up, it is no longer possible to submit the report.
It is also not possble to edit old drafts if restrict edit has elapsed since the creation of the save.
Autosave is definitively a nice new feature. However, I think it would be better if the counter for restrict edit time only started after the "submit" of the report and allowed edits to drafts no matter how old they are. As it is one needs to either set a really high value for restrict edit time or turn off autosave.
The issue seems to be related to: https://midas.psi.ch/elogs/Forum/68103

Regards

Kester

 

 

 

 

  69001   Thu Aug 15 13:34:23 2019 Reply Andreas Luedekeandreas.luedeke@psi.chRequestLinux3.1.4Re: restrict edit time

Yes, I agree that cleaning up old Draft entries and correcting/deleting old entries is a job for the administrator. Currently I do what you've said: commenting out "restrict edit time", changing the entry, commenting in "restrict edit time".

There are already some commands specifically for the admin:

  • Admin textarea = <cols>,<rows>
  • Admin user = <user list>

It would make sense to add more of them, for this specific case:

  • Admin restrict edit time = <hours>

If that is set to "-1", then the Admin can edit old entries regardless of their age. Actually there is no option to "unset" restrict edit time inherited from a global config: a negative time would make sense as "disabling" restrict edit time.

Another item for the endless wishlist ;-)

Cheers, Andreas

Sebastian Schenk wrote:

Hello,
I have experienced some inconveniences with the restrict edit time option.

First, it is not possible for admin users to edit an entry after the edit time.
The restrict edit option allows admin users to edit posts from other users,
so I think admins should also be allowed to edit posts after edit time.
As they can edit the config and temporarily disable the restrict edit time option, which is an issue.

Secondly, if a user made a draft and did not submitted it before the edit time runs out,
the draft got stuck as it cannot be edited (and submitted) any more.

Best wishes,
Sebastian

 

  1851   Thu Jun 22 08:04:13 2006 Reply Stefan Rittstefan.ritt@psi.chQuestionLinux2.6.1Re: restrict access
> -1- how can I restrict the access 
> of a certain user such that he can only see certain logbooks. 

This can be achieved with the "Login user = ..." option.

> But also not showing the other logbooks on the selection page.

You could try to use "top groups". This gives you "separate" groups of logbooks, so you could make a public tree
seen by everybody and private trees only seen by a few people. Please read the documentation for details.

> -2- How can I have a login page instead of the logbook selection page.
> When I insert the password statement the config, I get a blank page.

You get a login page instead of the selection page if the "Password file = " statement is in the [global] section
and "Protect selection page = 1". You might have to delete all cookies in your browser if you move the password
file statement between the [global] and the logbook sections, because otherwise the old cookies might prevent you
from logging out.
  1853   Thu Jun 22 11:29:17 2006 Reply Gerald Ebberinkg.h.p.ebberink@nclr.nlQuestionLinux2.6.1Re: restrict access
> > -1- how can I restrict the access 
> > of a certain user such that he can only see certain logbooks. 
> 
> This can be achieved with the "Login user = ..." option.

That is what I found in the mean time. And it works like a charm.

> 
> > But also not showing the other logbooks on the selection page.
> 
> You could try to use "top groups". This gives you "separate" groups of logbooks, so you could make a public tree
> seen by everybody and private trees only seen by a few people. Please read the documentation for details.

I'm now using this (I had to redesign our tree for that)

> > -2- How can I have a login page instead of the logbook selection page.
> > When I insert the password statement the config, I get a blank page.
> 
> You get a login page instead of the selection page if the "Password file = " statement is in the [global] section
> and "Protect selection page = 1". You might have to delete all cookies in your browser if you move the password
> file statement between the [global] and the logbook sections, because otherwise the old cookies might prevent you
> from logging out.

This is not working for me, in Mozilla Firefox I'm still getting a blank page, where IE is giving me an error
stating
that the page is unavailable
  1854   Thu Jun 22 11:38:38 2006 Reply Stefan Rittstefan.ritt@psi.chQuestionLinux2.6.1Re: restrict access
> > You get a login page instead of the selection page if the "Password file = " statement is in the [global]
section
> > and "Protect selection page = 1". You might have to delete all cookies in your browser if you move the password
> > file statement between the [global] and the logbook sections, because otherwise the old cookies might
prevent you
> > from logging out.
> 
> This is not working for me, in Mozilla Firefox I'm still getting a blank page, where IE is giving me an error
> stating that the page is unavailable

If I use following config file:


[global]
port = 8080
password file = passwd
protect selection page = 1

[demo1]
Attributes = Author, Type, Category, Subject

[demo2]
Attributes = Author, Type, Category, Subject


then I don't get a blank page. An unavailable page you should only get whan you use top groups, and want to
access the root. 
  1855   Thu Jun 22 12:10:00 2006 Reply Gerald Ebberinkg.h.p.ebberink@nclr.nlQuestionLinux2.6.1Re: restrict access
> > > You get a login page instead of the selection page if the "Password file = " statement is in the [global]
> section
> > > and "Protect selection page = 1". You might have to delete all cookies in your browser if you move the password
> > > file statement between the [global] and the logbook sections, because otherwise the old cookies might
> prevent you
> > > from logging out.
> > 
> > This is not working for me, in Mozilla Firefox I'm still getting a blank page, where IE is giving me an error
> > stating that the page is unavailable
> 
> If I use following config file:
> 
> 
> [global]
> port = 8080
> password file = passwd
> protect selection page = 1
> 
> [demo1]
> Attributes = Author, Type, Category, Subject
> 
> [demo2]
> Attributes = Author, Type, Category, Subject
> 
> 
> then I don't get a blank page. An unavailable page you should only get whan you use top groups, and want to
> access the root. 
I use the folowing file and do get this error (the company names and other sensitive information has been changed to
something simular but not so sensitive)

[global]
logbook tabs = 1
port = 80
Logbook dir = /srv/elog/logbooks/
URL = http://my.domain/

Protect selection page = 1
Password file = /srv/elog/passwords/main.passwd
Self register = 0
Admin user = Gerald


Group World = Procedures, Work
Group Work = Company, Company2
Group Company = twiddle
Group twiddle = Panels, Bond

[Procedures]
Theme = default
Comment = General Procedures for use with
Attributes = Author, Category, Subject
Options Category = Maintenance, Alignment
Required Attributes = Author, Category
Subdir = Some/dir

[Company2]
Theme = default
Comment = Company2 project Page
Attributes = Author, Category, Subject
Options Category = Scheduling, During Progress, During measuring, After
Required Attributes = Author
Subdir = some/dir

[Panels]
Theme = default
Attributes = Author, Category, Subject
Options Category = Scheduling, During Progress, During measuring, After
Required Attributes = Author
Subdir = Some/dir
Expand default = 2
Protect selection page = 1

[bond]
Theme = default
Attributes = Author, Category, Subject
Options Category = Scheduling, During Progress, During measuring, After
Required Attributes = Author
Subdir = some/dir
ELOG V3.1.5-3fb85fa6