ELOG Forum

Demo Discussion

Forum Config Examples Contributions Vulnerabilities

Discussion forum about ELOG, Page 141 of 807

Not logged in

Find | Login | Help

Full | Summary | Threaded | Hide attachments

6451 Entries

Goto page Previous 1, 2, 3 ... 140, 141, 142 ... 805, 806, 807 Next

Author Email down

Fri May 27 14:48:05 2005

Re: password encryption

Alex H wrote:

Hi Stefan,

I have found a little problem with elog. I'am using ELOG V2.5.8-6. When I'am on the logon page,
I type my Login and password and hit "submit", in the bottom of IE, we can show my password without encryption, it can be dangerous. I have made a screenshot to explain my problem better.
Could you fix it for the next release ?
Thanks a lot.
Alex

Unfortunately there is no real way around that. If a password is entered into a text box, it is always transferred in plain text (which means that in security-sensive installations one should always use SSL together with elog). I encrypt it on the server side and do an immediate redirect which "hided" the plain password, but if your connection is slow, you might see it for a moment. Unless nobody has a clever idea of how to prevent this, we're out of luck.

1163

Mon May 30 20:16:11 2005

Re: password encryption

Emiliano Gabrielli wrote:

I don't have double checked .. but .. why we need to pass the sensible information in the Query String ??
Are you sure that putting it in an hidden field (and eventualli using a GET methon in the <form>-tag) can't be a solution?

Hidden means only these fields are not shown in the form, but they are added to the URL in the same way as non-hidden fields. But I got another idea: I will try to use a POST form instead of the GET form. Using the POST method, fields are attached to the request and not present in the URL. Hope this will work. When I find some time to work on it I will let you know.

1166

Wed Jun 1 16:33:54 2005

Re: Logbook locking issue

Sorry about my unusual slow response, but I'm pretty busy these days. I hope I will be able to address this problem in a two weeks from now.

Steve Jones wrote:

Stefan, any ideas on this problem?

Quote:

Our eLog is set to create logbook entry locks and after 30minutes prevent one from re-editing an entry, thus forcing a REPLY to be created.

SCENARIO: When an *attempt* is made to edit a logbook after the 30minute timer, one gets the message that EDITING is prevented and to use the browser "Back" button.

PROBLEM: The display now shows that particular entry to be locked, even though the attempt to edit was blocked. It appears that the lock flag is set prior to the "Edit" attempt being blocked and thus the lock flag is never "unset".

1172

Sat Jun 4 10:59:52 2005

Re: Incorrect Display

I finally found some time to fix the pippo-bug Wink

.

It had to do with the request that one can turn on and off the summary lines of the text body in Guest list display. So if this option does not contain Text, the text summary is not shown for guest access, but only for registered access. This modification had the side effect that one column was dropped on the non-guest access.

1173

Sat Jun 4 12:21:21 2005

Re: reverse sort option does not work for quick filter

Heiko Scheit wrote:

The 'reverse sort' option does not work for quick filter searches. In the
URL there is always written 'reverse=0'. For normal 'Find' it works OK.

I don't understand the problem. If I take the example elogd.cfg from the distribution, it sorts in reverse order, since the file contains Reverse sort=1. If I apply a quick filter, the result is still sorted in reverse order (entry ID from high to low). If I set Reverse sort=0, the even after applying a quick filter, the entries are sorted with their ID from low to high. Applying a quick filter should not put a reverse=0 into the URL, so it's strange to me where this comes from. Can you try to reproduce the problem with the demo elogd.cfg?

1174

Sat Jun 4 12:25:57 2005

Re: elog crashes when admin tries to register new users

Heiko Scheit wrote:

When pasting the URL for the registration of new users (with 'Self register = 3') elog
crashes with segmentation fault. I don't have the time currently to give you more
debuging information but maybe you can have a look the same. It crashes after
the user is registered. The Email is sent, too.

I cannot reproduce this problem either. The only difference I see is that I use thunderbird as my email client, where I don't have to copy/paste the activation URL into my browser, but just click on it. If maybe the copy/paste operation adds an additional CR/LF or so, that could be a problem. Can you check again? A stack trace of the crashed elogd would help as well.

1175

Sat Jun 4 13:06:08 2005

Re: Logbook locking issue

Steve Jones wrote:

Stefan, not a problem. ITMT, any idea how I can manually clear this "lock"? Is it embedded in the logbook itself?

I would recommend to remove the Restrict edit time = 0.5 temporarily from your config file, then edit this entry, the clicking Back instead of Submit (since you don't really want to edit the entry). This removes the lock, and you can re-enable the Restrict edit time = 0.5 in the config file.

Quote:

I fixed this problem and committed it to CVS. It will be contained in the next release.

1176

Sat Jun 4 14:00:17 2005

Re: password encryption

Alex H wrote:

I have found a little problem with elog. I'am using ELOG V2.5.8-6. When I'am on the logon page,
I type my Login and password and hit "submit", in the bottom of IE, we can show my password without encryption, it can be dangerous. I have made a screenshot to explain my problem better.
Could you fix it for the next release ?
Thanks a lot.
Alex

I switched the login page to the HTTP "POST" method, where arguments are not passed in the URL.

The new version is under CVS. Can you try if the behaviour is better now? I upgraded also the ELOG forum, so you can try there as well.

Goto page Previous 1, 2, 3 ... 140, 141, 142 ... 805, 806, 807 Next

ELOG V3.1.5-3fb85fa6