ELOG Forum

Demo Discussion

Forum Config Examples Contributions Vulnerabilities

Discussion forum about ELOG, Page 223 of 796

Not logged in

Find | Login | Help

Full | Summary | Threaded | Hide attachments

6362 Entries

Goto page Previous 1, 2, 3 ... 222, 223, 224 ... 794, 795, 796 Next

Thu Jul 8 23:41:43 2004

Re: ELOG & Selection Page

Great! That takes care of the problem for sure.

Cheers once again for such a quick response.

GL.


//we use ELog very extensively internally, it's great, especially now with
replication//


> > The problem I have is I want to have a main selection type page so when a
> > user enters ELOG they see this page with links on it to main logbook groups.
> 
> I added a new flag
> 
> Show top groups = 1
> 
> which shows the list of to groups. Hope this is what you want. The new version
> is available from CVS (see download page).

741

Sun Oct 17 22:47:39 2004

Re: ELOG e-mail notifications - their arrival time is wrong

Ok, i compiled the code below and ran it,
it prints out:

timezone: 134513644

but in BASH shell if i type DATE, then this is the output:
Mon Oct 18 09:44:00 NZDT 2004
so it does know about NZ time...

Anyone got ideas?

Thanks all.
G.


> > Date:  Mon, 11 Oct 2004 12:26:28 -3736512
> 
> The timezone offset (-3736512) is obtained from the "timezone" variable, which
> is initialized with the tzset() function inside elogd. See "man tzset" for
> details. It looks like if the timezone on your FreeBSD box is not correctly
> defined. 
> 
> Try to compile and execute following C program:
> 
> #include <stdio.h>
> #include <time.h>
> 
> main()
> {
>    tzset();
>    printf("timezone: %d\n", timezone);
> }
> 
> This should print something like "timezone: -3600". If not, you might consider
> defining the "TZ" environment variable. Maybe some FreeBSD expert knows some
> details about this.

1077

Tue Apr 12 01:05:20 2005

XML password files, replication & FreeBSD

Ok this really is 2 questions.

1)
I have been running ELOG on FreeBSD no problem for a year now,
but this new version 2.5.8-x doesn't seem to wanna work, it compiles fine 
with a few warnings (see attached logs).
But has issues with password files, now it shows message "Can't open 
passwords.pwd" for all my logbooks. It did convert the password files to 
xml format. I had a good hard look at file permissions and config file with 
no luck. So I went back a version and compiled 2.5.7-1 which works just 
fine with old password files. So something with XML & FreeBSD?...

2)
Version 2.5.7-1 (maybe this has been fixed in 2.5.8?)
When I run a ./elogd -C http://elog.blah.here:88 it clones the config file 
just fine, also seems to copy over all logbook entries.
But once I look through them there's a fault with one of the fields it 
copies over, so entries never show up.

It should be:
========================================
Date: Tue Mar 01 19:41:29 2005
In reply to: 24
Work done by: someuser
Work done at (dd/mm/yy hh:mm):  1/03/05 3:30pm
Downtime duration: 0 min
Planned: Yes
Reason: Normal work
Attachment:
Encoding: plain

But once cloned it looks like this:
========================================
Date: Tue Mar 01 19:41:29 2005
In reply to: 24
Work done by: someuser
Work done at (dd/mm/yy hh: m):  1/03/05 3:30pm
Downtime duration: 0 min
Planned: Yes
Reason: Normal work
Attachment:
Encoding: plain


For some reason it looses the "m" so line 4 instead of having
"hh:mm" has "hh: m"


Cheers,
GL.

Attachment 1: compiling_ELOG_Errors_2.5.7-1.txt

===[root] /usr/local/elog #gmake
gcc -O3 -funroll-loops -fomit-frame-pointer -W -Wall -o elog src/elog.c
gcc -O3 -funroll-loops -fomit-frame-pointer -W -Wall -c -o regex.o src/regex.c
src/regex.c: In function `regex_compile':
src/regex.c:1193: warning: comparison between signed and unsigned
src/regex.c:1208: warning: comparison between signed and unsigned
src/regex.c:1301: warning: comparison between signed and unsigned
src/regex.c:1326: warning: comparison between signed and unsigned
src/regex.c:1340: warning: comparison between signed and unsigned
src/regex.c:1350: warning: comparison between signed and unsigned
src/regex.c:1362: warning: comparison between signed and unsigned
src/regex.c:1368: warning: comparison between signed and unsigned
src/regex.c:1376: warning: comparison between signed and unsigned
src/regex.c:1612: warning: comparison between signed and unsigned
src/regex.c:1630: warning: suggest explicit braces to avoid ambiguous `else'
src/regex.c:1642: warning: comparison between signed and unsigned
src/regex.c:1650: warning: suggest explicit braces to avoid ambiguous `else'
src/regex.c:1686: warning: comparison between signed and unsigned
src/regex.c:1702: warning: comparison between signed and unsigned
src/regex.c:1730: warning: comparison between signed and unsigned
src/regex.c:1817: warning: comparison between signed and unsigned
src/regex.c:1930: warning: comparison between signed and unsigned
src/regex.c:1936: warning: comparison between signed and unsigned
src/regex.c:1941: warning: comparison between signed and unsigned
src/regex.c:1945: warning: comparison between signed and unsigned
src/regex.c:1949: warning: comparison between signed and unsigned
src/regex.c:1953: warning: comparison between signed and unsigned
src/regex.c:1957: warning: comparison between signed and unsigned
src/regex.c:1961: warning: comparison between signed and unsigned
src/regex.c:1979: warning: comparison between signed and unsigned
src/regex.c:2027: warning: comparison between signed and unsigned
src/regex.c:2031: warning: comparison between signed and unsigned
src/regex.c: In function `compile_range':
src/regex.c:2240: warning: comparison between signed and unsigned
src/regex.c:2242: warning: signed and unsigned type in conditional expression
src/regex.c:2242: warning: signed and unsigned type in conditional expression
src/regex.c: In function `re_match_2':
src/regex.c:3317: warning: comparison between signed and unsigned
src/regex.c:3407: warning: comparison between signed and unsigned
src/regex.c:3431: warning: comparison between signed and unsigned
src/regex.c:3470: warning: empty body in an else-statement
src/regex.c:3484: warning: comparison between signed and unsigned
src/regex.c:3500: warning: comparison between signed and unsigned
src/regex.c:3775: warning: comparison between signed and unsigned
src/regex.c:3775: warning: unused variable `destination'
src/regex.c:3922: warning: comparison between signed and unsigned
src/regex.c:3922: warning: unused variable `destination'
src/regex.c:3975: warning: comparison between signed and unsigned
src/regex.c:3975: warning: unused variable `destination'
src/regex.c:4081: warning: comparison between signed and unsigned
src/regex.c:4114: warning: comparison between signed and unsigned
src/regex.c:4114: warning: unused variable `destination'
src/regex.c:4127: warning: comparison between signed and unsigned
src/regex.c:4127: warning: unused variable `destination'
src/regex.c:4295: warning: comparison between signed and unsigned
src/regex.c: In function `regcomp':
src/regex.c:4770: warning: signed and unsigned type in conditional expression
src/regex.c: In function `regerror':
src/regex.c:4890: warning: comparison between signed and unsigned
src/regex.c: At top level:
src/regex.c:4882: warning: unused parameter 'preg'
In file included from src/regex.c:3838:
src/regex.c: In function `re_match_2':
src/regex.c:4599: warning: passing arg 1 of `bcmp_translate' discards qualifiers from pointer target type
src/regex.c:4599: warning: passing arg 2 of `bcmp_translate' discards qualifiers from pointer target type
gcc -O3 -funroll-loops -fomit-frame-pointer -W -Wall -o elogd src/elogd.c regex.o

gcc -O3 -funroll-loops -fomit-frame-pointer -W -Wall -o elconv src/elconv.c

Attachment 2: compiling_ELOG_Errors_2.5.8.txt

===[root] /usr/local/elog-2.5.8 #gmake
gcc -O3 -funroll-loops -fomit-frame-pointer -W -Wall -o elog src/elog.c
gcc -O3 -funroll-loops -fomit-frame-pointer -W -Wall -c -o regex.o src/regex.c
src/regex.c: In function `regex_compile':
src/regex.c:1193: warning: comparison between signed and unsigned
src/regex.c:1208: warning: comparison between signed and unsigned
src/regex.c:1301: warning: comparison between signed and unsigned
src/regex.c:1326: warning: comparison between signed and unsigned
src/regex.c:1340: warning: comparison between signed and unsigned
src/regex.c:1350: warning: comparison between signed and unsigned
src/regex.c:1362: warning: comparison between signed and unsigned
src/regex.c:1368: warning: comparison between signed and unsigned
src/regex.c:1376: warning: comparison between signed and unsigned
src/regex.c:1612: warning: comparison between signed and unsigned
src/regex.c:1630: warning: suggest explicit braces to avoid ambiguous `else'
src/regex.c:1642: warning: comparison between signed and unsigned
src/regex.c:1650: warning: suggest explicit braces to avoid ambiguous `else'
src/regex.c:1686: warning: comparison between signed and unsigned
src/regex.c:1702: warning: comparison between signed and unsigned
src/regex.c:1730: warning: comparison between signed and unsigned
src/regex.c:1817: warning: comparison between signed and unsigned
src/regex.c:1930: warning: comparison between signed and unsigned
src/regex.c:1936: warning: comparison between signed and unsigned
src/regex.c:1941: warning: comparison between signed and unsigned
src/regex.c:1945: warning: comparison between signed and unsigned
src/regex.c:1949: warning: comparison between signed and unsigned
src/regex.c:1953: warning: comparison between signed and unsigned
src/regex.c:1957: warning: comparison between signed and unsigned
src/regex.c:1961: warning: comparison between signed and unsigned
src/regex.c:1979: warning: comparison between signed and unsigned
src/regex.c:2027: warning: comparison between signed and unsigned
src/regex.c:2031: warning: comparison between signed and unsigned
src/regex.c: In function `compile_range':
src/regex.c:2240: warning: comparison between signed and unsigned
src/regex.c:2242: warning: signed and unsigned type in conditional expression
src/regex.c:2242: warning: signed and unsigned type in conditional expression
src/regex.c: In function `re_match_2':
src/regex.c:3317: warning: comparison between signed and unsigned
src/regex.c:3407: warning: comparison between signed and unsigned
src/regex.c:3431: warning: comparison between signed and unsigned
src/regex.c:3470: warning: empty body in an else-statement
src/regex.c:3484: warning: comparison between signed and unsigned
src/regex.c:3500: warning: comparison between signed and unsigned
src/regex.c:3775: warning: comparison between signed and unsigned
src/regex.c:3775: warning: unused variable `destination'
src/regex.c:3922: warning: comparison between signed and unsigned
src/regex.c:3922: warning: unused variable `destination'
src/regex.c:3975: warning: comparison between signed and unsigned
src/regex.c:3975: warning: unused variable `destination'
src/regex.c:4081: warning: comparison between signed and unsigned
src/regex.c:4114: warning: comparison between signed and unsigned
src/regex.c:4114: warning: unused variable `destination'
src/regex.c:4127: warning: comparison between signed and unsigned
src/regex.c:4127: warning: unused variable `destination'
src/regex.c:4295: warning: comparison between signed and unsigned
src/regex.c: In function `regcomp':
src/regex.c:4770: warning: signed and unsigned type in conditional expression
src/regex.c: In function `regerror':
src/regex.c:4890: warning: comparison between signed and unsigned
src/regex.c: At top level:
src/regex.c:4882: warning: unused parameter 'preg'
In file included from src/regex.c:3838:
src/regex.c: In function `re_match_2':
src/regex.c:4599: warning: passing arg 1 of `bcmp_translate' discards qualifiers from pointer target type
src/regex.c:4599: warning: passing arg 2 of `bcmp_translate' discards qualifiers from pointer target type
gcc -O3 -funroll-loops -fomit-frame-pointer -W -Wall -DHAVE_STRLCPY -c -o mxml.o ../mxml/mxml.c
gcc -O3 -funroll-loops -fomit-frame-pointer -W -Wall -I../mxml -o elogd src/elogd.c regex.o mxml.o
gcc -O3 -funroll-loops -fomit-frame-pointer -W -Wall -o elconv src/elconv.c

1081

Wed Apr 13 00:40:55 2005

Re: XML password files, replication & FreeBSD

> > I have been running ELOG on FreeBSD no problem for a year now,
> > but this new version 2.5.8-x doesn't seem to wanna work, it compiles fine 
> > with a few warnings (see attached logs).
> > But has issues with password files, now it shows message "Can't open 
> > passwords.pwd" for all my logbooks. It did convert the password files to 
> > xml format. I had a good hard look at file permissions and config file with 
> > no luck. So I went back a version and compiled 2.5.7-1 which works just 
> > fine with old password files. So something with XML & FreeBSD?...
> 
> Hard to say. The simplest would be if I could debug this.

Anything I could send you to help debug this?

> 
> > Version 2.5.7-1 (maybe this has been fixed in 2.5.8?)
> > When I run a ./elogd -C http://elog.blah.here:88 it clones the config file 
> > just fine, also seems to copy over all logbook entries.
> > But once I look through them there's a fault with one of the fields it 
> > copies over, so entries never show up.
> > 
> > It should be:
> > ========================================
> > Date: Tue Mar 01 19:41:29 2005
> > In reply to: 24
> > Work done by: someuser
> > Work done at (dd/mm/yy hh:mm):  1/03/05 3:30pm
> > Downtime duration: 0 min
> > Planned: Yes
> > Reason: Normal work
> > Attachment:
> > Encoding: plain
> > 
> > But once cloned it looks like this:
> > ========================================
> > Date: Tue Mar 01 19:41:29 2005
> > In reply to: 24
> > Work done by: someuser
> > Work done at (dd/mm/yy hh: m):  1/03/05 3:30pm
> > Downtime duration: 0 min
> > Planned: Yes
> > Reason: Normal work
> > Attachment:
> > Encoding: plain
> > 
> > 
> > For some reason it looses the "m" so line 4 instead of having
> > "hh:mm" has "hh: m"
> 
> Your problem is that the attribute "Work done at (dd/mm/yy hh:mm)" which
> contains a ":". This character is not allowed in attributes. Unfortunately I did
> not document this (and even didn't know this until now... (;-) ). So you should
> use the new option
> 
> Type Work done at = datetime
> 
> this gives you at the entry mask fields for day/month/year/hour/minute to fill
> out, so you don't have to write it directly into the attribute. Another option
> would be to use 
> 
> Comment Work done at = Please enter as (dd/mm/yy hh:mm)
> 
> which just displays a comment below the attribute in the entry mask.
> 
> - Stefan

Ok, i see, the problem for me now is that this attribute name has been in use for 
half a year or so by me. So now I have 100's of logbook entries with the old name 
in them, if I change it's name then all old logbook entries will show up with that 
field blank. I'm not sure if there's an easy way to change that attribute's name in 
100's of entries in 10's of logbooks, because I wouldn't want to try doing that by 
hand.. Any ideas? (i'm no good at scripting something like that 4 sure)

Thanks,
G.

1636

Fri Jan 27 20:40:00 2006

Running elog as ordinnary user

Hello,

I've configured elog with some commands running a shell :

Preset R-Date = $shell(/usr/bin/date +"%Y/%m/%d %H:%S")
; for testing :
Preset $text = $shell(whoami && set)
Preset $text = Some fixed text

That worked well when elog was started by root (and falling to user elog),
but later, I moved all the elog tree to /home/my_name/.elog,
(I'd like to start it only when I'm logged, it's only for personnal data)
changed all the attributes/permissions ($chown -R my_name:my_group .elog)
and none of these commands still works ! I use the -x option to allow
shell substitution.

More surprisingly, even the fixed text doesn't work (???)

Any explanation ?

By the way, I also seen that it is necessary to set Usr and Grp to "elog"
via the config file even when it's started by root, because otherwise,
you always get the strings 'Falling back to default group "elog"' and
Falling back to default user "elog" in the output of the shell substitutions.

Regards,

Gauthier

1638

Sat Jan 28 10:40:18 2006

Re: Running elog as ordinnary user

Stefan Ritt wrote:

First of all, you could use

Preset R-Date = $date

instead of the shell command. Secondly, the command

Preset $text = $shell(whoami && set)

is wrong. Replace it by

Preset text = $shell(whoami && set)

without the "$".

I'm sorry ; even with this correction, none of the preset strings created with
a substitution mechanism (shell or built-in) works when elogd is started as
ordinnary user. I've tried the same config file /home/gv/.elog/elogd.cfg :

port = 8080
Language = french
Main Tab = Accueil
Usr = gv
Grp = users
Logbook dir = /home/gv/.elog/logbooks


[gauthier]
Self register = 1
Password file = passwd

Theme = default
Comment = Logbook personnel
Default encoding = 1
Time format = %a, %d/%m/%Y %H:%M
Attributes = Type, Statut, Priorit�, Sujet, R-Date
Preset R-Date = $shell(/usr/bin/date +"%Y/%m/%d %H:%S")
Preset text = $shell(whoami && set)
;Preset text = Blablabla                                       
;Preset text = $date                                           
Start page = ?rsort=Record date
List display = R-Date, Type, Statut, Priorit�, Sujet
Options Type = Divers, Lectures, Musique, Aca, Finances, Sant�
Options Statut = A faire, Ex�cut�, Journal
Options Priorit� = 0, 1, 2, 3
Preset  Priorit� = 0
Extendable Options = Type
Thread display = $sujet ($entry time)
Required Attributes = Type, Sujet
Page Title = ELOG - $subject
Reverse sort = 1
Quick filter = R-Date, Statut, Type
Sort Attributes = Priorit�, R-Date

Started via root (# /usr/sbin/elogd -c /home/gv/.elog/elogd.cfg -x), it works,
but via "gv" ($ /usr/sbin/elogd -c /home/gv/.elog/elogd.cfg -x), it doesn't.

Regards,

Gauthier

69299

Wed Feb 3 17:28:16 2021

Re: Path disclosure on unfound file

Hello, This is coming up as a high vulnerability in our scans. Are there plans to update the rpm for this fix? If so is there an ETA? Any update would be much appreciated. Currently running elog-3.1.4-2

Stefan Ritt wrote:

Ok, I fixed the code in the current commit (395e101add19f0fe8a11a25d0822e511f34d94d1). The path gets stripped, and we see a

prinnydood wrote:

I can confirm this issue exists on version 3.1.3, which I have installed elog on Debian 10.

The issue also exists on version 3.14 (1.20190113git283534d97d5a.el7), which I tested on an AmazonLinux EC2 instance.

This is what I found:

1. if I leave out the extension at the end of the URL for a non-existent page, it gives me the red error box. So far so good... Example: /gibberish

2. if I include any random extension at the end of the URL for a non-existent page, it gives me the red error box. So far so good... Example: /gibberish.php or /gibberish.htm or /gibberish.asdfasd

3. if I include any .html extension specifically at the end of the URL for a non-existent page, elog exposes the path /usr/share/elog/themes/default/gibberish.html. This is a bug... Example: /gibberish.html exposes the path, and likewise, /.gibberish.html ( "dot" + gibberish) exposes the path

4. if I include a valid, existent .html file which is located in the directory /usr/share/elog/themes/default/, and call it, elog exposes the html document. Example: I created an html file called gibberish.html (containing <html><body><p>Hello world</p></body></html>) in my system's /usr/share/elog/themes/default/ directory. After navigating back to the /gibberish.html URL, I was presented with the HTML file.

Turning on -v (verbose mode), the response by elogd when accessing these are: "GET /elog/gibberish.html HTTP/1.0 Returned 605 bytes" (displays "Hello world" html file), and "GET /elog/gibberish.asdfasd HTTP/1.0 Returned 605 bytes" (displays red error box).

=====

My guess: the program seems to be caring about the files ONLY if they have html file extension. Please see the screenshots below.

====

What are the security implications? Not much, I think. From what I can tell, exposing the "/usr/share/themes/elog" path, and also exposing the elog version when the file does not exist. Hope this reply helps anyone else with the same question.

(I am sure the error exposing the version can be removed by editing the source code--this is probably beyond my capabilities at this point).

69306

Fri Feb 19 19:48:11 2021

Re: Path disclosure on unfound file

Thank you for your work. Works like a charm!

Stefan Ritt wrote:

I made a new RPM: https://elog.psi.ch/elog/download/RPMS/elog-3.1.4-3.el7.x86_64.rpm

Gabriel Lopez wrote:

Stefan Ritt wrote:

Ok, I fixed the code in the current commit (395e101add19f0fe8a11a25d0822e511f34d94d1). The path gets stripped, and we see a

prinnydood wrote:

I can confirm this issue exists on version 3.1.3, which I have installed elog on Debian 10.

The issue also exists on version 3.14 (1.20190113git283534d97d5a.el7), which I tested on an AmazonLinux EC2 instance.

This is what I found:

1. if I leave out the extension at the end of the URL for a non-existent page, it gives me the red error box. So far so good... Example: /gibberish

=====

My guess: the program seems to be caring about the files ONLY if they have html file extension. Please see the screenshots below.

====

(I am sure the error exposing the version can be removed by editing the source code--this is probably beyond my capabilities at this point).

Goto page Previous 1, 2, 3 ... 222, 223, 224 ... 794, 795, 796 Next

ELOG V3.1.5-2eba886