Demo Discussion
Forum Config Examples Contributions Vulnerabilities
  Discussion forum about ELOG, Page 557 of 808  Not logged in ELOG logo
 Find |  Login |  Help 
 Full | Summary | Threaded | Hide attachments  Show only new entries    6460 Entries 
Goto page Previous  1, 2, 3 ... 556, 557, 558 ... 806, 807, 808   Next  
ID Date Icon Author Author Emaildown Category OS ELOG Version Subject
  69299   Wed Feb 3 17:28:16 2021 Reply Gabriel Lopezgabelopez@bnl.govBug reportLinux3.1.4Re: Path disclosure on unfound file

Hello, This is coming up as a high vulnerability in our scans. Are there plans to update the rpm for this fix? If so is there an ETA? Any update would be much appreciated. Currently running elog-3.1.4-2 

Stefan Ritt wrote:

Ok, I fixed the code in the current commit (395e101add19f0fe8a11a25d0822e511f34d94d1). The path gets stripped, and we see a

prinnydood wrote:

I can confirm this issue exists on version 3.1.3, which I have installed elog on Debian 10.

The issue also exists on version 3.14 (1.20190113git283534d97d5a.el7), which I tested on an AmazonLinux EC2 instance.

This is what I found:

1. if I leave out the extension at the end of the URL for a non-existent page, it gives me the red error box. So far so good... Example: /gibberish

2. if I include any random extension at the end of the URL for a non-existent page, it gives me the red error box. So far so good... Example: /gibberish.php or /gibberish.htm or /gibberish.asdfasd

3. if I include any .html extension specifically at the end of the URL for a non-existent page, elog exposes the path /usr/share/elog/themes/default/gibberish.html. This is a bug... Example: /gibberish.html exposes the path, and likewise, /.gibberish.html ( "dot" + gibberish) exposes the path

4. if I include a valid, existent .html file which is located in the directory /usr/share/elog/themes/default/, and call it, elog exposes the html document. Example: I created an html file called gibberish.html (containing <html><body><p>Hello world</p></body></html>) in my system's /usr/share/elog/themes/default/ directory. After navigating back to the /gibberish.html URL, I was presented with the HTML file.

Turning on -v (verbose mode), the response by elogd when accessing these are: "GET /elog/gibberish.html HTTP/1.0 Returned 605 bytes" (displays "Hello world" html file), and "GET /elog/gibberish.asdfasd HTTP/1.0 Returned 605 bytes" (displays red error box).

=====

My guess: the program seems to be caring about the files ONLY if they have html file extension. Please see the screenshots below.

====

What are the security implications? Not much, I think. From what I can tell, exposing the "/usr/share/themes/elog" path, and also exposing the elog version when the file does not exist. Hope this reply helps anyone else with the same question.

(I am sure the error exposing the version can be removed by editing the source code--this is probably beyond my capabilities at this point).

 

 

  69306   Fri Feb 19 19:48:11 2021 Reply Gabriel Lopezgabelopez@bnl.govBug reportLinux3.1.4Re: Path disclosure on unfound file

Thank you for your work. Works like a charm!

Stefan Ritt wrote:

I made a new RPM: https://elog.psi.ch/elog/download/RPMS/elog-3.1.4-3.el7.x86_64.rpm

Gabriel Lopez wrote:

Hello, This is coming up as a high vulnerability in our scans. Are there plans to update the rpm for this fix? If so is there an ETA? Any update would be much appreciated. Currently running elog-3.1.4-2 

Stefan Ritt wrote:

Ok, I fixed the code in the current commit (395e101add19f0fe8a11a25d0822e511f34d94d1). The path gets stripped, and we see a

prinnydood wrote:

I can confirm this issue exists on version 3.1.3, which I have installed elog on Debian 10.

The issue also exists on version 3.14 (1.20190113git283534d97d5a.el7), which I tested on an AmazonLinux EC2 instance.

This is what I found:

1. if I leave out the extension at the end of the URL for a non-existent page, it gives me the red error box. So far so good... Example: /gibberish

2. if I include any random extension at the end of the URL for a non-existent page, it gives me the red error box. So far so good... Example: /gibberish.php or /gibberish.htm or /gibberish.asdfasd

3. if I include any .html extension specifically at the end of the URL for a non-existent page, elog exposes the path /usr/share/elog/themes/default/gibberish.html. This is a bug... Example: /gibberish.html exposes the path, and likewise, /.gibberish.html ( "dot" + gibberish) exposes the path

4. if I include a valid, existent .html file which is located in the directory /usr/share/elog/themes/default/, and call it, elog exposes the html document. Example: I created an html file called gibberish.html (containing <html><body><p>Hello world</p></body></html>) in my system's /usr/share/elog/themes/default/ directory. After navigating back to the /gibberish.html URL, I was presented with the HTML file.

Turning on -v (verbose mode), the response by elogd when accessing these are: "GET /elog/gibberish.html HTTP/1.0 Returned 605 bytes" (displays "Hello world" html file), and "GET /elog/gibberish.asdfasd HTTP/1.0 Returned 605 bytes" (displays red error box).

=====

My guess: the program seems to be caring about the files ONLY if they have html file extension. Please see the screenshots below.

====

What are the security implications? Not much, I think. From what I can tell, exposing the "/usr/share/themes/elog" path, and also exposing the elog version when the file does not exist. Hope this reply helps anyone else with the same question.

(I am sure the error exposing the version can be removed by editing the source code--this is probably beyond my capabilities at this point).

 

 

 

 

  69365   Thu May 20 21:01:41 2021 Question Gabriel Lopezgabelopez@bnl.govQuestionLinux3.1.4-3New user not working

Running elog-3.1.4-3 Can't add users through the web interface. Clicking add user and writing all the fields in with something doesn't add a user into the PWD file of that logbook. Running a tail -f on the password file shows elog writes the user info with the hashed password 3 times and then deletes the information about 20 seconds later. Has anyone else had a similar issue? This is running on RHEL8.3

  69831   Tue Sep 24 19:38:23 2024 Entry Gabriel Lopezgabelopez@bnl.govBug reportLinuxelog-3.1.4-3Catgegory filtering

Currently have multiple logbooks hosted with elogd. One book is having an issue with Categories. The user regulary uses the category filtering to see one subject for the whole month. This past week it hasn't been working properly. When choosing a drop down category to filter there are not logs found. I've notice the fields under the categories change randomly. Sometimes it would add a % sign where there should be --. Some other fields go from displaying -- Subject -- to just the dashes, thats when the filtered eLogs do not show. Clearing out the erroneous characters can eventually load the specified logs. Has anyone else seen this? Should I just upgrade the system and hope for the best?

 

PS. while writing this I was able to mitigate the issue by removing the troubled fields from the quick filter section. I'm pretty sure this will not be an issue for my end user but any input is appreciated.

  1161   Mon May 30 19:18:34 2005 Reply Gary Claysong_clayson@sbcglobal.netRequestWindows2.5.8-6Re: password encryption
Hello Alex and Stefan,

I know of only one way to "hide" the text of the status bar in a web browser;
use JavaScript - specifically the status method (as in the following example):

<!-- the following goes in the body of the document, perhaps in a link. -->

<!-- sample link -->
<a href="javascript://place link url here"
onMouseOver="window.status='Status Bar Text Goes Here'; return true">Link Text Here</a>

<!-- place the following script in the head of the document -->
<script language="JavaScript" type="text/javascript"><!--
window.defaultStatus="Default Status Bar Text Here";
--></script>

Of course the above only works in those browsers that support javascripting,
but it is one way to hide the actual text of links from the user.
Hopefully this helps you!

Gary Clayson


Alex H wrote:
Hi Stefan,

I have found a little problem with elog. I'am using ELOG V2.5.8-6. When I'am on the logon page,
I type my Login and password and hit "submit", in the bottom of IE, we can show my password without encryption, it can be dangerous. I have made a screenshot to explain my problem better.
Could you fix it for the next release ?
Thanks a lot.
Alex
  1168   Thu Jun 2 06:45:55 2005 Question Gary Claysong_clayson@sbcglobal.netInfoWindowslatestA comprehensive listing of all commands elog performs
Can someone please enter a comprehensive list of the commands eLog will honor. I'm trying to build a 'decent' start page and am not totally familiar with eLog just yet. Thanks Stefan for an awesome application. The documentation is really decent, too. I just have been unable to locate a list of all commands available.
Thanks in advance.
Gary ;->
  1850   Wed Jun 21 22:11:15 2006 Entry Gerald Ebberinkg.h.p.ebberink@nclr.nlQuestionLinux2.6.1restrict access
Dear all,

I am trying to get elog used in our company but I need some help.
I have two small questions:

-1- how can I restrict the access 
of a certain user such that he can only see certain logbooks. 
But also not showing the other logbooks on the selection page.
So we could have a tree like this:

Stage one
|
|->Stage 2
       |
       |
      / \
     |   |
    Co1 Co2
    /     \
  job     job

So when Co1 logs in the should not be able to see Co2 and the attached job

-2- How can I have a login page instead of the logbook selection page.
When I insert the password statement the config, I get a blank page.
  1853   Thu Jun 22 11:29:17 2006 Reply Gerald Ebberinkg.h.p.ebberink@nclr.nlQuestionLinux2.6.1Re: restrict access
> > -1- how can I restrict the access 
> > of a certain user such that he can only see certain logbooks. 
> 
> This can be achieved with the "Login user = ..." option.

That is what I found in the mean time. And it works like a charm.

> 
> > But also not showing the other logbooks on the selection page.
> 
> You could try to use "top groups". This gives you "separate" groups of logbooks, so you could make a public tree
> seen by everybody and private trees only seen by a few people. Please read the documentation for details.

I'm now using this (I had to redesign our tree for that)

> > -2- How can I have a login page instead of the logbook selection page.
> > When I insert the password statement the config, I get a blank page.
> 
> You get a login page instead of the selection page if the "Password file = " statement is in the [global] section
> and "Protect selection page = 1". You might have to delete all cookies in your browser if you move the password
> file statement between the [global] and the logbook sections, because otherwise the old cookies might prevent you
> from logging out.

This is not working for me, in Mozilla Firefox I'm still getting a blank page, where IE is giving me an error
stating
that the page is unavailable
Goto page Previous  1, 2, 3 ... 556, 557, 558 ... 806, 807, 808   Next  
ELOG V3.1.5-3fb85fa6