Demo Discussion
Forum Config Examples Contributions Vulnerabilities
  Discussion forum about ELOG, Page 73 of 806  Not logged in ELOG logo
 Find |  Login |  Help 
New entries since:Thu Jan 1 01:00:00 1970
 Full | Summary | Threaded | Hide attachments  Show all entries    6445 Entries 
Goto page Previous  1, 2, 3 ... 72, 73, 74 ... 804, 805, 806   Next  
ID Date Icon Author Author Email Category OS ELOG Version Subject
  69285   Thu Dec 31 18:35:19 2020 Reply prinnydoodmoltensolderlabs@pm.meBug reportLinux3.1.3Re: Path disclosure on unfound file

I can confirm this issue exists on version 3.1.3, which I have installed elog on Debian 10.

The issue also exists on version 3.14 (1.20190113git283534d97d5a.el7), which I tested on an AmazonLinux EC2 instance.

This is what I found:

1. if I leave out the extension at the end of the URL for a non-existent page, it gives me the red error box. So far so good... Example: /gibberish

2. if I include any random extension at the end of the URL for a non-existent page, it gives me the red error box. So far so good... Example: /gibberish.php or /gibberish.htm or /gibberish.asdfasd

3. if I include any .html extension specifically at the end of the URL for a non-existent page, elog exposes the path /usr/share/elog/themes/default/gibberish.html. This is a bug... Example: /gibberish.html exposes the path, and likewise, /.gibberish.html ( "dot" + gibberish) exposes the path

4. if I include a valid, existent .html file which is located in the directory /usr/share/elog/themes/default/, and call it, elog exposes the html document. Example: I created an html file called gibberish.html (containing <html><body><p>Hello world</p></body></html>) in my system's /usr/share/elog/themes/default/ directory. After navigating back to the /gibberish.html URL, I was presented with the HTML file.

Turning on -v (verbose mode), the response by elogd when accessing these are: "GET /elog/gibberish.html HTTP/1.0 Returned 605 bytes" (displays "Hello world" html file), and "GET /elog/gibberish.asdfasd HTTP/1.0 Returned 605 bytes" (displays red error box).

=====

My guess: the program seems to be caring about the files ONLY if they have html file extension. Please see the screenshots below.

====

What are the security implications? Not much, I think. From what I can tell, exposing the "/usr/share/themes/elog" path, and also exposing the elog version when the file does not exist. Hope this reply helps anyone else with the same question.

(I am sure the error exposing the version can be removed by editing the source code--this is probably beyond my capabilities at this point).

Attachment 1: no_extension.png
no_extension.png
Attachment 2: nonexistent_html.png
nonexistent_html.png
Attachment 3: random_extension.png
random_extension.png
Attachment 4: valid_html_file_with_html_extension.png
valid_html_file_with_html_extension.png
  69284   Fri Dec 18 18:08:54 2020 Question Chris Körnerchris.koerner@physik.uni-halle.deRequestOther3.1.3outdated debian package

Hi everyone,

I am currently trying to setup elog as a docker container. I wonder if there is any reason why the elog debian package is stuck at version 3.1.3? Would it be possible to update it to the latest version? 

 

Thanks very much!

  69283   Wed Dec 16 12:41:42 2020 Reply Simon Dästersimon.daester+elog@gmail.comInfoWindowsELOG V3.1.4-a04Re: How to increase TEXT_SIZE to address entry text limit

Hi Illam

You actually have to change the source code of elog and then recompile. Download the code from https://bitbucket.org/ritt/elog/src/master/, change the value of the variable TEXT_SIZE in the file src/elogd.h

Default ist #define TEXT_SIZE 250000

 

Illam Pakkirisamy wrote:

Hi,

I'm trying to increase the entry text constraint but not sure how to do this.  Couldn't find it in the documentation or may be I missed it.  Appreciate your help.

Thanks.
Illam

 

 

  69282   Tue Dec 15 17:41:57 2020 Reply Satyajit Jenasatya.ino@gmail.comQuestionLinux3.1.4Re: Is there a way to upload a file in custom input?

Thanks Stefan,

I am not yet able to figure out how attachment submission is done, I am trying. It would be helpful if you can refer me to some pointer.

With regards,

satyajit

Stefan Ritt wrote:

When you submit a "normal" elog entry, you can click on "Choose file" to add an attachment. On a mobile device, you will then be asked to select a photo from your library or take one with your camera. You can do the same on a custom form. You have to extract the code from the normal submissoin form and program it on your custom page. It needs however some work and might not be straight forward.

Stefan

Satyajit Jena wrote:

Hi,

I am trying to implement a Custom input forms by following this  https://elog.psi.ch/elogs/Contributions/49. Is there a way to also insert an image or files to it? I want to take a snap from the iPad and want that to go as an attachment or attach a file(s) into the form. Is there a way to do that?

Your suggestions are highly appreciated.

Regards,

sjena

 

 

 

  69281   Tue Dec 15 15:19:25 2020 Reply Stefan Rittstefan.ritt@psi.chQuestionLinux3.1.4Re: Is there a way to upload a file in custom input?

When you submit a "normal" elog entry, you can click on "Choose file" to add an attachment. On a mobile device, you will then be asked to select a photo from your library or take one with your camera. You can do the same on a custom form. You have to extract the code from the normal submissoin form and program it on your custom page. It needs however some work and might not be straight forward.

Stefan

Satyajit Jena wrote:

Hi,

I am trying to implement a Custom input forms by following this  https://elog.psi.ch/elogs/Contributions/49. Is there a way to also insert an image or files to it? I want to take a snap from the iPad and want that to go as an attachment or attach a file(s) into the form. Is there a way to do that?

Your suggestions are highly appreciated.

Regards,

sjena

 

 

  69280   Tue Dec 15 14:50:55 2020 Question Satyajit Jenasatya.ino@gmail.comQuestionLinux3.1.4Is there a way to upload a file in custom input?

Hi,

I am trying to implement a Custom input forms by following this  https://elog.psi.ch/elogs/Contributions/49. Is there a way to also insert an image or files to it? I want to take a snap from the iPad and want that to go as an attachment or attach a file(s) into the form. Is there a way to do that?

Your suggestions are highly appreciated.

Regards,

sjena

 

  69279   Fri Dec 4 02:03:56 2020 Reply Harry Martinharrymartin772@gmail.comQuestionLinux | Windows | Mac OSX | All | Other3.1.3Re: length of condition names

Could we update the doc for this?

Stefan Ritt wrote:

You can easily use multi-character conditionals, up to 256 chars.

Harry Martin wrote:

The documentation describing the use of conditionals uses a single character (letter or number) for names of conditions.  I don't see any update/change to that rule anywhere in the docs.

I have been using multi-character condition names successfully.   I find these are easier to use since they can be more descriptive of each condition.   It works, but I am concerned I may be doing something that might not be supported going forward.   (It is simple enough to change these, but I'd prefer to know if this practice is acceptable.)

Thank you, again, for this fine (and, may I add, fun?) tool.  I'm having a good time with it!

 

 

  69278   Thu Dec 3 19:11:38 2020 Question Illam Pakkirisamyillam@senseeker.comInfoWindowsELOG V3.1.4-a04How to increase TEXT_SIZE to address entry text limit

Hi,

I'm trying to increase the entry text constraint but not sure how to do this.  Couldn't find it in the documentation or may be I missed it.  Appreciate your help.

Thanks.
Illam

 

Goto page Previous  1, 2, 3 ... 72, 73, 74 ... 804, 805, 806   Next  
ELOG V3.1.5-3fb85fa6