| ID |
Date |
Icon |
Author |
Author Email |
Category |
OS |
ELOG Version |
Subject |
|
69306
|
Fri Feb 19 19:48:11 2021 |
 | Gabriel Lopez | gabelopez@bnl.gov | Bug report | Linux | 3.1.4 | Re: Path disclosure on unfound file | Thank you for your work. Works like a charm!
| Stefan Ritt wrote: |
|
I made a new RPM: https://elog.psi.ch/elog/download/RPMS/elog-3.1.4-3.el7.x86_64.rpm
| Gabriel Lopez wrote: |
|
Hello, This is coming up as a high vulnerability in our scans. Are there plans to update the rpm for this fix? If so is there an ETA? Any update would be much appreciated. Currently running elog-3.1.4-2
| Stefan Ritt wrote: |
|
Ok, I fixed the code in the current commit (395e101add19f0fe8a11a25d0822e511f34d94d1). The path gets stripped, and we see a
| prinnydood wrote: |
|
I can confirm this issue exists on version 3.1.3, which I have installed elog on Debian 10.
The issue also exists on version 3.14 (1.20190113git283534d97d5a.el7), which I tested on an AmazonLinux EC2 instance.
This is what I found:
1. if I leave out the extension at the end of the URL for a non-existent page, it gives me the red error box. So far so good... Example: /gibberish
2. if I include any random extension at the end of the URL for a non-existent page, it gives me the red error box. So far so good... Example: /gibberish.php or /gibberish.htm or /gibberish.asdfasd
3. if I include any .html extension specifically at the end of the URL for a non-existent page, elog exposes the path /usr/share/elog/themes/default/gibberish.html. This is a bug... Example: /gibberish.html exposes the path, and likewise, /.gibberish.html ( "dot" + gibberish) exposes the path
4. if I include a valid, existent .html file which is located in the directory /usr/share/elog/themes/default/, and call it, elog exposes the html document. Example: I created an html file called gibberish.html (containing <html><body><p>Hello world</p></body></html>) in my system's /usr/share/elog/themes/default/ directory. After navigating back to the /gibberish.html URL, I was presented with the HTML file.
Turning on -v (verbose mode), the response by elogd when accessing these are: "GET /elog/gibberish.html HTTP/1.0 Returned 605 bytes" (displays "Hello world" html file), and "GET /elog/gibberish.asdfasd HTTP/1.0 Returned 605 bytes" (displays red error box).
=====
My guess: the program seems to be caring about the files ONLY if they have html file extension. Please see the screenshots below.
====
What are the security implications? Not much, I think. From what I can tell, exposing the "/usr/share/themes/elog" path, and also exposing the elog version when the file does not exist. Hope this reply helps anyone else with the same question.
(I am sure the error exposing the version can be removed by editing the source code--this is probably beyond my capabilities at this point).
|
|
|
|
|
|
69311
|
Mon Mar 1 16:02:02 2021 |
 | Sebastian Schenk | sebastian.schenk@physik.uni-halle.de | Bug report | Linux | 395e101 bitbuck | Last default time bug | Hello all,
I have the issue, that we can't list entries older than 1 year, if "Last default = 31" (or any other number, but they are restricted to 1, 3, 7, 31, 92, 182, 364) is active.
The quick filter displays the option for "-- all entries --" but selecting this only reloads the default time frame (31 days).
A workaroud is to select a different time e.g. 1 day and then modifying the URL to ?last=1000 or so, gives acces to the old entries.
But this is not the intended way to do it.
The Find results are also affected by this. e.g. selecting 1.1.2020 to 1.6.2020 with "Last default = 31" yields 0 results.
The "Show last default" atrtribute for 1, 3, 7, 31, 92, 182, 364 work fine and overwrite the "last default" time in the quick filter.
In the Find page, there will be a "All entries" option at the top of the date selection box, if "Show last default" equals to 1, 3, 7, 31, 92, 182 or 364
(2, Bug: it is empty for "Show last default = 0" and not All entries")
Selecting "All entries" or the empty first value in the Find "show last:" date , will give a Find result with the "Last default" time constraint.
Thus it is not possible to get any entry older then the longst period possible (364 days), if you don't know about the workaround.
Best wishes,
Sebastian
PS: I use a self-compiled version of elog up to the 395e101 commit in the bitbucket repository with pull request #7 (which hasn't been merged for over 1,5 years) and a simple patch for our local LDAP. |
|
69349
|
Fri Apr 23 04:59:58 2021 |
 | gary holman | holman@uw.edu | Bug report | Linux | ELOG V3.1.4-611 | segfault in auth.c:366 | Elog version: ELOG V3.1.4-611489ba
I am running openldap on the localhost. For some reason now, elogd is segfaulting when (I believe) when a new user is being added to the password file. For example:
1. I delete user passord file defined in elogd.cfg
2. Bind/Authenticate to LDAP successfully
3. Segfaults in auth.c ldap_adduser_file()
Makefile:
...
ELOGDIR = /opt/elog
DESTDIR = $(ROOT)$(PREFIX)/bin
SDESTDIR = $(ROOT)$(PREFIX)/sbin
RCDIR = $(ROOT)/etc/rc.d/init.d
SRVDIR = $(ROOT)/usr/lib/systemd/system
# flag for SSL support
USE_SSL = 1
# flag for Kerberos support, please turn off if you don't need Kerberos
USE_KRB5 = 0
# flag for LDAP support, please turn off if you don't need LDAP
USE_LDAP = 1# flag for PAM support, please turn of if you don't need PAM
USE_PAM = 0
...
For authentication, I am using openldap in the localhost:
----
Authentication = LDAP
LDAP server = ldap://localhost:389
LDAP userbase = ou=people,dc=example,dc=org
LDAP login attribute = uid
LDAP register = 1
Password file = /opt/elog/users
gdb output
----------
(gdb) run -s /opt/elog -c /opt/elog/elogd.cfg -f /var/run/elog/elog.pid
The program being debugged has been started already.
Start it from the beginning? (y or n) y
Starting program: /home/ubuntu/UPGRADE-42221/work-src/elog/elogd -s /opt/elog -c /opt/elog/elogd.cfg -f /var/run/elog/elog.pid
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
elogd 3.1.4 built Apr 22 2021, 19:19:39 revision 611489ba
File "/var/run/elog/elog.pid" exists, overwriting it.
CKeditor detected
ImageMagick detected
Indexing logbooks ... done
Server listening on port 9011 ...
Breakpoint 1, ldap_adduser_file (lbs=0x555556811ad8, user=0x7ffffffd3bd0 "testuser", password=0x5555558ea110 <_value+6000> "testuser", error_str=0x7ffffffd53d0 "", error_size=<optimized out>) at src/auth.c:350
350 if (rc != LDAP_SUCCESS) {
(gdb) n
337 rc = ldap_search_ext_s(
(gdb) n
350 if (rc != LDAP_SUCCESS) {
(gdb) n
358 for(entry = ldap_first_entry(ldap_ld,result);
(gdb) n
371 if(strcmp(attribute,"mail")==0 || strcmp(attribute,"rfc822Mailbox")==0)
(gdb) n
361 for(attribute = ldap_first_attribute(ldap_ld,entry,&ber);
(gdb) n
365 if((values = ldap_get_values(ldap_ld,entry,attribute)) != NULL ) {
(gdb) n
366 for(i=0; values[i] != NULL; i++) {
(gdb) n
Program received signal SIGSEGV, Segmentation fault.
ldap_adduser_file (lbs=0x555556811ad8, user=0x7ffffffd3bd0 "testuser", password=0x5555558ea110 <_value+6000> "testuser", error_str=<optimized out>, error_size=<optimized out>) at src/auth.c:366
366 for(i=0; values[i] != NULL; i++) {
(gdb) p attribute
$1 = 0x5555567f6a20 "uid"
(gdb) p values
$2 = (char **) 0x567f74f0
This user in LDAP:
-------------------------
# TESTUSER, people, example.org
dn: uid=TESTUSER,ou=people,dc=example,dc=org
uid: TESTUSER
cn: TESTUSER
givenName: TESTUSER
sn:: VEVTVFVTRVIg
mail: TESTUSER
uidNumber: 10000
gidNumber: 10000
homeDirectory: /dev/null
objectClass: top
objectClass: posixAccount
objectClass: shadowAccount
objectClass: inetOrgPerson
objectClass: organizationalPerson
objectClass: person
userPassword:: e1NTSEF9Y21ua1lsdFpMZ3ZrZlZ4OUp3MFN3cUY3NWIzdkFCSWY=
|
|
69350
|
Fri Apr 23 15:46:39 2021 |
| Sebastian Schenk | sebastian.schenk@physik.uni-halle.de | Bug report | Linux | ELOG V3.1.4-611 | Re: segfault in auth.c:366 | Hi Mr. Holman,
The problem you are facing is more likely the issue, that the LDAP method is only provided as-is from a different developer.
I had a similar issue with the LDAP of my university.
I can't remember the correct error messages, but it looks similar, which arises from the used c library for LDAP.
The LDAP connection response can have 2 different variable types and only one of them is implemented in the elog, the other one crashes the elog with segfault.
I could fix it with this patch:
https://bitbucket.org/merrx/elog/commits/5a75fdb3e0b723380dae73bb57653946ed72690c
Obviously you have to adapt "displayName" and "postOfficeBox" to represent the name and email attributes of your LDAP structure.
I didn't made a PR for this commit, because it would break the current LDAP implementation, i assume.
Best wishes,
Sebastian
| gary holman wrote: |
|
Elog version: ELOG V3.1.4-611489ba
I am running openldap on the localhost. For some reason now, elogd is segfaulting when (I believe) when a new user is being added to the password file. For example:
1. I delete user passord file defined in elogd.cfg
2. Bind/Authenticate to LDAP successfully
3. Segfaults in auth.c ldap_adduser_file()
Makefile:
...
ELOGDIR = /opt/elog
DESTDIR = $(ROOT)$(PREFIX)/bin
SDESTDIR = $(ROOT)$(PREFIX)/sbin
RCDIR = $(ROOT)/etc/rc.d/init.d
SRVDIR = $(ROOT)/usr/lib/systemd/system
# flag for SSL support
USE_SSL = 1
# flag for Kerberos support, please turn off if you don't need Kerberos
USE_KRB5 = 0
# flag for LDAP support, please turn off if you don't need LDAP
USE_LDAP = 1# flag for PAM support, please turn of if you don't need PAM
USE_PAM = 0
...
For authentication, I am using openldap in the localhost:
----
Authentication = LDAP
LDAP server = ldap://localhost:389
LDAP userbase = ou=people,dc=example,dc=org
LDAP login attribute = uid
LDAP register = 1
Password file = /opt/elog/users
gdb output
----------
(gdb) run -s /opt/elog -c /opt/elog/elogd.cfg -f /var/run/elog/elog.pid
The program being debugged has been started already.
Start it from the beginning? (y or n) y
Starting program: /home/ubuntu/UPGRADE-42221/work-src/elog/elogd -s /opt/elog -c /opt/elog/elogd.cfg -f /var/run/elog/elog.pid
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
elogd 3.1.4 built Apr 22 2021, 19:19:39 revision 611489ba
File "/var/run/elog/elog.pid" exists, overwriting it.
CKeditor detected
ImageMagick detected
Indexing logbooks ... done
Server listening on port 9011 ...
Breakpoint 1, ldap_adduser_file (lbs=0x555556811ad8, user=0x7ffffffd3bd0 "testuser", password=0x5555558ea110 <_value+6000> "testuser", error_str=0x7ffffffd53d0 "", error_size=<optimized out>) at src/auth.c:350
350 if (rc != LDAP_SUCCESS) {
(gdb) n
337 rc = ldap_search_ext_s(
(gdb) n
350 if (rc != LDAP_SUCCESS) {
(gdb) n
358 for(entry = ldap_first_entry(ldap_ld,result);
(gdb) n
371 if(strcmp(attribute,"mail")==0 || strcmp(attribute,"rfc822Mailbox")==0)
(gdb) n
361 for(attribute = ldap_first_attribute(ldap_ld,entry,&ber);
(gdb) n
365 if((values = ldap_get_values(ldap_ld,entry,attribute)) != NULL ) {
(gdb) n
366 for(i=0; values[i] != NULL; i++) {
(gdb) n
Program received signal SIGSEGV, Segmentation fault.
ldap_adduser_file (lbs=0x555556811ad8, user=0x7ffffffd3bd0 "testuser", password=0x5555558ea110 <_value+6000> "testuser", error_str=<optimized out>, error_size=<optimized out>) at src/auth.c:366
366 for(i=0; values[i] != NULL; i++) {
(gdb) p attribute
$1 = 0x5555567f6a20 "uid"
(gdb) p values
$2 = (char **) 0x567f74f0
This user in LDAP:
-------------------------
# TESTUSER, people, example.org
dn: uid=TESTUSER,ou=people,dc=example,dc=org
uid: TESTUSER
cn: TESTUSER
givenName: TESTUSER
sn:: VEVTVFVTRVIg
mail: TESTUSER
uidNumber: 10000
gidNumber: 10000
homeDirectory: /dev/null
objectClass: top
objectClass: posixAccount
objectClass: shadowAccount
objectClass: inetOrgPerson
objectClass: organizationalPerson
objectClass: person
userPassword:: e1NTSEF9Y21ua1lsdFpMZ3ZrZlZ4OUp3MFN3cUY3NWIzdkFCSWY=
|
|
|
69351
|
Fri Apr 23 16:21:05 2021 |
| Stefan Ritt | stefan.ritt@psi.ch | Bug report | Linux | ELOG V3.1.4-611 | Re: segfault in auth.c:366 | Well, if you find a solution with works for everybody, I'm happy to commit it to the main repository. But unfortunately I cannot test it because I don't have LDAP here, so I'm flying blind.
Stefan |
|
69354
|
Sun Apr 25 15:17:27 2021 |
| Laurent Jean-Rigaud | lollspam@free.fr | Bug report | Linux | ELOG V3.1.4-611 | Re: segfault in auth.c:366 | Hi,
Maybe it could be useful to add new parameters in elogd.cfg to define the attribute name to use to retrieve the given name, login name and email from LDAP server.
By example :
LDAP email attribute = mail
LDAP surname attribute = id
LDAP givename attribute = gn
So users can define them according to their exotic LDAP schema ;-)
Laurent |
|
69358
|
Wed Apr 28 04:01:49 2021 |
| gary holman | holman@uw.edu | Bug report | Linux | ELOG V3.1.4-611 | Re: segfault in auth.c:366 | Dear Mr Ritt, Mr Schenk,
Thank you for the responses. This was indeed my issue and direction to fix the crash.
Thank you,
Gary
| Sebastian Schenk wrote: |
|
Hi Mr. Holman,
The problem you are facing is more likely the issue, that the LDAP method is only provided as-is from a different developer.
I had a similar issue with the LDAP of my university.
I can't remember the correct error messages, but it looks similar, which arises from the used c library for LDAP.
The LDAP connection response can have 2 different variable types and only one of them is implemented in the elog, the other one crashes the elog with segfault.
I could fix it with this patch:
https://bitbucket.org/merrx/elog/commits/5a75fdb3e0b723380dae73bb57653946ed72690c
Obviously you have to adapt "displayName" and "postOfficeBox" to represent the name and email attributes of your LDAP structure.
I didn't made a PR for this commit, because it would break the current LDAP implementation, i assume.
Best wishes,
Sebastian
| gary holman wrote: |
|
Elog version: ELOG V3.1.4-611489ba
I am running openldap on the localhost. For some reason now, elogd is segfaulting when (I believe) when a new user is being added to the password file. For example:
1. I delete user passord file defined in elogd.cfg
2. Bind/Authenticate to LDAP successfully
3. Segfaults in auth.c ldap_adduser_file()
Makefile:
...
ELOGDIR = /opt/elog
DESTDIR = $(ROOT)$(PREFIX)/bin
SDESTDIR = $(ROOT)$(PREFIX)/sbin
RCDIR = $(ROOT)/etc/rc.d/init.d
SRVDIR = $(ROOT)/usr/lib/systemd/system
# flag for SSL support
USE_SSL = 1
# flag for Kerberos support, please turn off if you don't need Kerberos
USE_KRB5 = 0
# flag for LDAP support, please turn off if you don't need LDAP
USE_LDAP = 1# flag for PAM support, please turn of if you don't need PAM
USE_PAM = 0
...
For authentication, I am using openldap in the localhost:
----
Authentication = LDAP
LDAP server = ldap://localhost:389
LDAP userbase = ou=people,dc=example,dc=org
LDAP login attribute = uid
LDAP register = 1
Password file = /opt/elog/users
gdb output
----------
(gdb) run -s /opt/elog -c /opt/elog/elogd.cfg -f /var/run/elog/elog.pid
The program being debugged has been started already.
Start it from the beginning? (y or n) y
Starting program: /home/ubuntu/UPGRADE-42221/work-src/elog/elogd -s /opt/elog -c /opt/elog/elogd.cfg -f /var/run/elog/elog.pid
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
elogd 3.1.4 built Apr 22 2021, 19:19:39 revision 611489ba
File "/var/run/elog/elog.pid" exists, overwriting it.
CKeditor detected
ImageMagick detected
Indexing logbooks ... done
Server listening on port 9011 ...
Breakpoint 1, ldap_adduser_file (lbs=0x555556811ad8, user=0x7ffffffd3bd0 "testuser", password=0x5555558ea110 <_value+6000> "testuser", error_str=0x7ffffffd53d0 "", error_size=<optimized out>) at src/auth.c:350
350 if (rc != LDAP_SUCCESS) {
(gdb) n
337 rc = ldap_search_ext_s(
(gdb) n
350 if (rc != LDAP_SUCCESS) {
(gdb) n
358 for(entry = ldap_first_entry(ldap_ld,result);
(gdb) n
371 if(strcmp(attribute,"mail")==0 || strcmp(attribute,"rfc822Mailbox")==0)
(gdb) n
361 for(attribute = ldap_first_attribute(ldap_ld,entry,&ber);
(gdb) n
365 if((values = ldap_get_values(ldap_ld,entry,attribute)) != NULL ) {
(gdb) n
366 for(i=0; values[i] != NULL; i++) {
(gdb) n
Program received signal SIGSEGV, Segmentation fault.
ldap_adduser_file (lbs=0x555556811ad8, user=0x7ffffffd3bd0 "testuser", password=0x5555558ea110 <_value+6000> "testuser", error_str=<optimized out>, error_size=<optimized out>) at src/auth.c:366
366 for(i=0; values[i] != NULL; i++) {
(gdb) p attribute
$1 = 0x5555567f6a20 "uid"
(gdb) p values
$2 = (char **) 0x567f74f0
This user in LDAP:
-------------------------
# TESTUSER, people, example.org
dn: uid=TESTUSER,ou=people,dc=example,dc=org
uid: TESTUSER
cn: TESTUSER
givenName: TESTUSER
sn:: VEVTVFVTRVIg
mail: TESTUSER
uidNumber: 10000
gidNumber: 10000
homeDirectory: /dev/null
objectClass: top
objectClass: posixAccount
objectClass: shadowAccount
objectClass: inetOrgPerson
objectClass: organizationalPerson
objectClass: person
userPassword:: e1NTSEF9Y21ua1lsdFpMZ3ZrZlZ4OUp3MFN3cUY3NWIzdkFCSWY=
|
|
|
|
69359
|
Fri Apr 30 07:27:31 2021 |
| Faith | faithlessangel85@gmail.com | Bug report | Linux | V3.1.2 | [Bug?] Admin restrict edit time | I would like to know, if the command "Admin restrict edit time = " does really work as intended.
In my case I have the following global configuration:
Admin user = <me>
Restrict edit = 1
Restrict edit time = 1
Admin restrict edit time = 10000
And every time, when I want to edit an entry (as admin), that is older than 1 hour, i get the following error message:
"Entry can only be edited 1 hours after creation"
|
|