| ID |
Date |
Icon |
Author |
Author Email |
Category |
OS |
ELOG Version |
Subject |
|
69299
|
Wed Feb 3 17:28:16 2021 |
 | Gabriel Lopez | gabelopez@bnl.gov | Bug report | Linux | 3.1.4 | Re: Path disclosure on unfound file | Hello, This is coming up as a high vulnerability in our scans. Are there plans to update the rpm for this fix? If so is there an ETA? Any update would be much appreciated. Currently running elog-3.1.4-2
| Stefan Ritt wrote: |
|
Ok, I fixed the code in the current commit (395e101add19f0fe8a11a25d0822e511f34d94d1). The path gets stripped, and we see a
| prinnydood wrote: |
|
I can confirm this issue exists on version 3.1.3, which I have installed elog on Debian 10.
The issue also exists on version 3.14 (1.20190113git283534d97d5a.el7), which I tested on an AmazonLinux EC2 instance.
This is what I found:
1. if I leave out the extension at the end of the URL for a non-existent page, it gives me the red error box. So far so good... Example: /gibberish
2. if I include any random extension at the end of the URL for a non-existent page, it gives me the red error box. So far so good... Example: /gibberish.php or /gibberish.htm or /gibberish.asdfasd
3. if I include any .html extension specifically at the end of the URL for a non-existent page, elog exposes the path /usr/share/elog/themes/default/gibberish.html. This is a bug... Example: /gibberish.html exposes the path, and likewise, /.gibberish.html ( "dot" + gibberish) exposes the path
4. if I include a valid, existent .html file which is located in the directory /usr/share/elog/themes/default/, and call it, elog exposes the html document. Example: I created an html file called gibberish.html (containing <html><body><p>Hello world</p></body></html>) in my system's /usr/share/elog/themes/default/ directory. After navigating back to the /gibberish.html URL, I was presented with the HTML file.
Turning on -v (verbose mode), the response by elogd when accessing these are: "GET /elog/gibberish.html HTTP/1.0 Returned 605 bytes" (displays "Hello world" html file), and "GET /elog/gibberish.asdfasd HTTP/1.0 Returned 605 bytes" (displays red error box).
=====
My guess: the program seems to be caring about the files ONLY if they have html file extension. Please see the screenshots below.
====
What are the security implications? Not much, I think. From what I can tell, exposing the "/usr/share/themes/elog" path, and also exposing the elog version when the file does not exist. Hope this reply helps anyone else with the same question.
(I am sure the error exposing the version can be removed by editing the source code--this is probably beyond my capabilities at this point).
|
|
|
|
69306
|
Fri Feb 19 19:48:11 2021 |
| Gabriel Lopez | gabelopez@bnl.gov | Bug report | Linux | 3.1.4 | Re: Path disclosure on unfound file | Thank you for your work. Works like a charm!
| Stefan Ritt wrote: |
|
I made a new RPM: https://elog.psi.ch/elog/download/RPMS/elog-3.1.4-3.el7.x86_64.rpm
| Gabriel Lopez wrote: |
|
Hello, This is coming up as a high vulnerability in our scans. Are there plans to update the rpm for this fix? If so is there an ETA? Any update would be much appreciated. Currently running elog-3.1.4-2
| Stefan Ritt wrote: |
|
Ok, I fixed the code in the current commit (395e101add19f0fe8a11a25d0822e511f34d94d1). The path gets stripped, and we see a
| prinnydood wrote: |
|
I can confirm this issue exists on version 3.1.3, which I have installed elog on Debian 10.
The issue also exists on version 3.14 (1.20190113git283534d97d5a.el7), which I tested on an AmazonLinux EC2 instance.
This is what I found:
1. if I leave out the extension at the end of the URL for a non-existent page, it gives me the red error box. So far so good... Example: /gibberish
2. if I include any random extension at the end of the URL for a non-existent page, it gives me the red error box. So far so good... Example: /gibberish.php or /gibberish.htm or /gibberish.asdfasd
3. if I include any .html extension specifically at the end of the URL for a non-existent page, elog exposes the path /usr/share/elog/themes/default/gibberish.html. This is a bug... Example: /gibberish.html exposes the path, and likewise, /.gibberish.html ( "dot" + gibberish) exposes the path
4. if I include a valid, existent .html file which is located in the directory /usr/share/elog/themes/default/, and call it, elog exposes the html document. Example: I created an html file called gibberish.html (containing <html><body><p>Hello world</p></body></html>) in my system's /usr/share/elog/themes/default/ directory. After navigating back to the /gibberish.html URL, I was presented with the HTML file.
Turning on -v (verbose mode), the response by elogd when accessing these are: "GET /elog/gibberish.html HTTP/1.0 Returned 605 bytes" (displays "Hello world" html file), and "GET /elog/gibberish.asdfasd HTTP/1.0 Returned 605 bytes" (displays red error box).
=====
My guess: the program seems to be caring about the files ONLY if they have html file extension. Please see the screenshots below.
====
What are the security implications? Not much, I think. From what I can tell, exposing the "/usr/share/themes/elog" path, and also exposing the elog version when the file does not exist. Hope this reply helps anyone else with the same question.
(I am sure the error exposing the version can be removed by editing the source code--this is probably beyond my capabilities at this point).
|
|
|
|
|
|
69365
|
Thu May 20 21:01:41 2021 |
 | Gabriel Lopez | gabelopez@bnl.gov | Question | Linux | 3.1.4-3 | New user not working | Running elog-3.1.4-3 Can't add users through the web interface. Clicking add user and writing all the fields in with something doesn't add a user into the PWD file of that logbook. Running a tail -f on the password file shows elog writes the user info with the hashed password 3 times and then deletes the information about 20 seconds later. Has anyone else had a similar issue? This is running on RHEL8.3 |
|
69831
|
Tue Sep 24 19:38:23 2024 |
 | Gabriel Lopez | gabelopez@bnl.gov | Bug report | Linux | elog-3.1.4-3 | Catgegory filtering | Currently have multiple logbooks hosted with elogd. One book is having an issue with Categories. The user regulary uses the category filtering to see one subject for the whole month. This past week it hasn't been working properly. When choosing a drop down category to filter there are not logs found. I've notice the fields under the categories change randomly. Sometimes it would add a % sign where there should be --. Some other fields go from displaying -- Subject -- to just the dashes, thats when the filtered eLogs do not show. Clearing out the erroneous characters can eventually load the specified logs. Has anyone else seen this? Should I just upgrade the system and hope for the best?
PS. while writing this I was able to mitigate the issue by removing the troubled fields from the quick filter section. I'm pretty sure this will not be an issue for my end user but any input is appreciated. |
|
1636
|
Fri Jan 27 20:40:00 2006 |
| G. Vandemoortele | gvdmoort@skynet.be | Question | Linux | 2.6.1 CVS | Running elog as ordinnary user | Hello,
I've configured elog with some commands running a shell :
Preset R-Date = $shell(/usr/bin/date +"%Y/%m/%d %H:%S")
; for testing :
Preset $text = $shell(whoami && set)
Preset $text = Some fixed text
That worked well when elog was started by root (and falling to user elog),
but later, I moved all the elog tree to /home/my_name/.elog,
(I'd like to start it only when I'm logged, it's only for personnal data)
changed all the attributes/permissions ($chown -R my_name:my_group .elog)
and none of these commands still works ! I use the -x option to allow
shell substitution.
More surprisingly, even the fixed text doesn't work (???)
Any explanation ?
By the way, I also seen that it is necessary to set Usr and Grp to "elog"
via the config file even when it's started by root, because otherwise,
you always get the strings 'Falling back to default group "elog"' and
Falling back to default user "elog" in the output of the shell substitutions.
Regards,
Gauthier
|
|
1638
|
Sat Jan 28 10:40:18 2006 |
| G. Vandemoortele | gvdmoort@skynet.be | Question | Linux | 2.6.1 CVS | Re: Running elog as ordinnary user |
| Stefan Ritt wrote: |
First of all, you could use
Preset R-Date = $date
instead of the shell command. Secondly, the command
Preset $text = $shell(whoami && set)
is wrong. Replace it by
Preset text = $shell(whoami && set)
without the "$".
|
I'm sorry ; even with this correction, none of the preset strings created with
a substitution mechanism (shell or built-in) works when elogd is started as
ordinnary user. I've tried the same config file /home/gv/.elog/elogd.cfg :
port = 8080
Language = french
Main Tab = Accueil
Usr = gv
Grp = users
Logbook dir = /home/gv/.elog/logbooks
[gauthier]
Self register = 1
Password file = passwd
Theme = default
Comment = Logbook personnel
Default encoding = 1
Time format = %a, %d/%m/%Y %H:%M
Attributes = Type, Statut, Priorité, Sujet, R-Date
Preset R-Date = $shell(/usr/bin/date +"%Y/%m/%d %H:%S")
Preset text = $shell(whoami && set)
;Preset text = Blablabla
;Preset text = $date
Start page = ?rsort=Record date
List display = R-Date, Type, Statut, Priorité, Sujet
Options Type = Divers, Lectures, Musique, Aca, Finances, Santé
Options Statut = A faire, Exécuté, Journal
Options Priorité = 0, 1, 2, 3
Preset Priorité = 0
Extendable Options = Type
Thread display = $sujet ($entry time)
Required Attributes = Type, Sujet
Page Title = ELOG - $subject
Reverse sort = 1
Quick filter = R-Date, Statut, Type
Sort Attributes = Priorité, R-Date
Started via root (# /usr/sbin/elogd -c /home/gv/.elog/elogd.cfg -x), it works,
but via "gv" ($ /usr/sbin/elogd -c /home/gv/.elog/elogd.cfg -x), it doesn't.
Regards,
Gauthier |
|
435
|
Tue Sep 23 01:10:17 2003 |
| G | levineg@med.govt.nz | Question | Other | elog2.3.9 | Re: FreeBSD Install | I got elog 2.3.9 running on FreeBSD 5.1 successfully,
I compiled elog on a redhat box and then just copied over all the files to
the FreeBSD box and ELOG just ran with no issues.
It's been running under heavy use for at least a month now.
PS: you might need the linux compatibility package installed on BSD though...
> I am getting the following errors when trying to install elog-2.3.9 on
> my FreeBSD box. I am running FreeBSD 4.5-RELEASE.
>
> Many thanks!
>
> "Makefile", line 21: Missing dependency operator
> "Makefile", line 27: Need an operator
> "Makefile", line 29: Missing dependency operator
> "Makefile", line 31: Need an operator
> make: fatal errors encountered -- cannot continue
>
>
> You4eea |
|
447
|
Tue Oct 28 22:40:28 2003 |
 | G | levineg@med.govt.nz | Comment | Other | elog2.3.9 | Re: FreeBSD Install | Thanks for that mate, compiled elog on FreeBSD 5.1 myself no problems just like
you said, great!
>
> FYI- the default "make" on FreeBSD is BSD, not GNU.
>
> The easiest way to build elog on FreeBSD is to install "gmake" (via the port or
> package) and type "gmake". That's all it took for me to build a freshly
> downloaded copy on 5.1 not 5 minutes ago. |
|