| ID |
Date |
Icon |
Author |
Author Email |
Category |
OS |
ELOG Version |
Subject |
|
1075
|
Mon Apr 11 21:22:25 2005 |
 | Stefan Ritt | stefan.ritt@psi.ch | Bug fix | Linux | 2.5.7-1 | Re: Segmentation fault when searching for empty regex |
I applied a similar fix like you proposed, just omit highlighting at all if I get a
zero length match. Changes committed to CVS. |
|
2088
|
Wed Nov 22 02:55:48 2006 |
| Rob Mahurin | rob@utk.edu | Comment | Linux | 2.5.7-1 | Re: Securing Elog with SSL and Apache |
Hi,
I am an apache ignoramus who has been trying to follow these instructions on a Debian 3.1 box. I got hung up for
the following reason. I had to explicitly enable some apache features, which was a simple matter of making the
following symlinks in /etc/apache2/mods-enabled:
proxy.conf -> ../mods-available/proxy.conf
proxy.load -> ../mods-available/proxy.load
rewrite.load -> ../mods-available/rewrite.load
headers.load -> ../mods-available/headers.load
ssl.conf -> ../mods-available/ssl.conf
ssl.load -> ../mods-available/ssl.load
Easy enough. The default proxy.conf has sensible-looking warnings about not running your server as an open proxy.
However, I wasn't able to tweak it to encrypted port forwarding from :443 to :8079.
What I've done that works is to add a local proxy section to the /etc/apache2/conf.d/elogredirect.conf by Damon
Nettles:
<VirtualHost *:443>
### ... everything else
<Proxy *>
Allow from all
</Proxy>
</VirtualHost>
I think, since this is in a subsection, that it only affects that virtual host. But it'd be nice if someone who
actually understands this language would reassure me that I'm not setting myself up for some security hole. At
any rate it took me long enough to figure this out that I thought I'd post a note in public, and this seems like
the forum to do so.
Thanks.
Rob |
|
941
|
Mon Feb 14 12:36:30 2005 |
 | Stefan Ritt | stefan.ritt@psi.ch | Info | Linux | Windows | 2.5.7 | ELOG security vulnerability fixed, IMPORTANT!!!! |
Dear ELOG users,
It has been brought to my attention that ELOG has a vulnerability through
which one can obtain a remote shell (meaning to log in to your machine
through elog). There is even an exploit available which demonstrates that
both for linux and windows.
This is a severe security problem for all logooks which can be seen from
outside, even if they have password protection on. I strongly recommened to
upgrade to elog version 2.5.7 as soon as possible if you run a public elog
server.
Here is some explanation for the technically interested:
The problem arises from a strcpy() in the decode_post() routine, which
triggers a buffer overflow when attachment file names longer than 256
characters are submitted. I replaced (hopefully) all strcpy() with strlcpy()
to fix this problem, but if someone sees a location which I have missed,
please tell me.
The second vulnerability had to do with write passwords. If you put a "write
password = xxx" statement into your config file, it was still possible to
download the config file with a special hand-written URL, and decode the
write password, which is usually only base-64 encoded unless you haven't
compiled elog with the -DHAVE_CRYPT flag. I have changed that so if a write
password is present, the download is only possible when this password is
submitted in each request. If this has some effects on synchronizing of
logbooks, please let me know.
Stefan Ritt |
|
943
|
Mon Feb 14 18:49:44 2005 |
| Recai Oktas | roktas@omu.edu.tr | Info | Linux | 2.5.7 | Re: ELOG security vulnerability fixed, IMPORTANT!!!! |
Attention to Debian users;
I've prepared the fixed package and also contacted to Debian Security Team for
an urgent security upload. Since then you may wish to update your package from
the following URL:
http://l10n-turkish.alioth.debian.org/debian/elog_2.5.7+r1558-1_i386.deb
Or you can also make an update via apt-get by adding the below line to your
'/etc/apt/sources.list' file:
deb http://l10n-turkish.alioth.debian.org/debian/ ./
> The second vulnerability had to do with write passwords. If you put a "write
> password = xxx" statement into your config file, it was still possible to
> download the config file with a special hand-written URL, and decode the
> write password, which is usually only base-64 encoded unless you haven't
> compiled elog with the -DHAVE_CRYPT flag.
FYI, Debian package has already been compiled with this flag.
-- Recai Oktas, Maintainer of Debian package |
|
953
|
Sat Feb 19 18:39:52 2005 |
 | Heiko Scheit | h.scheit@mpi-hd.mpg.de | Bug fix | Linux | 2.5.7 | Problem with 'Show Attributes' option |
There is a problem with the 'Show Attributes' option
causing the 'Format ...' options to be ignored.
See attachment for patch. |
| Attachment 1: patch
|
--- elogd.c_20050219 Sat Feb 19 18:15:09 2005
+++ elogd.c Sat Feb 19 18:25:55 2005
@@ -8169,7 +8169,7 @@
if (format_flags[index] & AFF_SAME_LINE)
/* if attribute on same line, do nothing */
rsprintf("");
- else if (index < n_attr - 1 && (format_flags[index + 1] & AFF_SAME_LINE)) {
+ else if (aindex < n_disp_attr - 1 && (format_flags[attr_index[aindex + 1]] & AFF_SAME_LINE)) {
/* if next attribute on same line, start a new subtable */
rsprintf("<tr><td colspan=2><table width=\"100%%\" cellpadding=0 cellspacing=0><tr>");
subtable = 1;
@@ -8469,7 +8469,7 @@
}
}
- if (index < n_attr - 1 && (format_flags[index + 1] & AFF_SAME_LINE) == 0) {
+ if (aindex < n_disp_attr - 1 && (format_flags[attr_index[aindex + 1]] & AFF_SAME_LINE) == 0) {
/* if next attribute not on same line, close row or subtable */
if (subtable) {
rsprintf("</table></td></tr>\n");
@@ -8479,7 +8479,7 @@
}
/* if last attribute, close row or subtable */
- if (index == n_attr - 1) {
+ if (aindex == n_disp_attr - 1) {
if (subtable) {
rsprintf("</table></td></tr>\n");
subtable = 0;
|
|
954
|
Sun Feb 20 15:30:04 2005 |
| Stefan Ritt | stefan.ritt@psi.ch | Bug fix | Linux | 2.5.7 | Re: Problem with 'Show Attributes' option |
> There is a problem with the 'Show Attributes' option
> causing the 'Format ...' options to be ignored.
>
> See attachment for patch.
Thanks a lot. I applied your patch and committed the changes to CVS. |
|
955
|
Tue Feb 22 01:24:41 2005 |
| Neil Swartz | neilswartz@verizon.net | Bug report | Linux | 2.5.7 | Space in logbook name with password list results in "List" menu acting strange |
If you have a space in a logbook name and you enable password list, then
the "List" menu option forces you to the login page each time.
The URL says "aaa+bbb", but when you do not have passwords enabled, the
URL is "aaa bbb" |
|
956
|
Tue Feb 22 10:35:17 2005 |
| Stefan Ritt | stefan.ritt@psi.ch | Bug report | Linux | 2.5.7 | Re: Space in logbook name with password list results in "List" menu acting strange |
> If you have a space in a logbook name and you enable password list, then
> the "List" menu option forces you to the login page each time.
> The URL says "aaa+bbb", but when you do not have passwords enabled, the
> URL is "aaa bbb"
Thanks for reporting this. I fixed it in the current CVS version. |