Demo Discussion
Forum Config Examples Contributions Vulnerabilities
  Discussion forum about ELOG, Page 799 of 801  Not logged in ELOG logo
ID Date Icon Author Author Email Category OS ELOG Version Subject
  65   Wed Jul 10 08:53:21 2002 Reply Stefan Rittstefan.ritt@psi.chComment  Re: elog submit without user and password
> I guess it cannot and doesn't have to be 100% save.  Maybe if the web
> interface is used for a new message a long random number (let's call
> it newID) can be included, which elog remembers for some time (say 1
> day).  Now elogd accepts a new message only if 
> 
>   1) the cookies is there and valid or
>   2) if the cookies are NOT THERE, but the newID matches one of the
>        stored ones.     
> 
> The new message is rejected if the cookies are there, but are wrong.

Ok that sounds a good idea to me, I will work on that.

> Can one delete or edit messages with elog?  If yes then this should not be
> possible.

No this is not possible.
  64   Tue Jul 9 15:28:33 2002 Reply H. Scheith.scheit@mpi-hd.mpg.deComment  Re: elog submit without user and password
> > With elog it is possible to submit messages to a password protected
> > logbook without specifying the -u option.  I.e. NO PASSWORD is
> > necessary to submit a message.  I assume it is related to the problem
> > of expiring password-cookies while entering the message using a web
> > browser.
> 
> Indeed this problem is related to the expiring password cookies. As a 
> reminder: For the submission of a new entry, the password is checked when
one 
> presses the "New" button, but NOT for the "submit". This is because a 
> password can expire between the "New" and the "Submit", so a entered message 
> could not be sent. The question is now what to do with the standalone
"elog".
> 
> Right now, elog does a normal submission where the password is not checked, 
> which is maybe not what one wants. But what to do? If elog sends a special 
> flag "please do check password on submit", someone could analyze the source 
> code, remove the flag from elog and then still submit messages without a 
> password. If I put an additional flag to the web browser submission "please 
> do not check the password since the cookie might have been expired", someone 
> can add this flag into elog and still bypass the password checking.

I guess it cannot and doesn't have to be 100% save.  Maybe if the web
interface is used for a new message a long random number (let's call
it newID) can be included, which elog remembers for some time (say 1
day).  Now elogd accepts a new message only if 

  1) the cookies is there and valid or
  2) if the cookies are NOT THERE, but the newID matches one of the
       stored ones.     

The new message is rejected if the cookies are there, but are wrong.

> Anothe thing which bothers me is if you specify the password explicitly on 
> the command line of elog, it's visible in some scripts etc, which yould be a 
> security issue as well.

Maybe the encoded password should be specified.  I use wget to
retrieve some entries automatically over a cron job and with wget
you specify a cookie-file with --cookie-file (or something like
this).  The content of this file corresponds to the content of the
netscape cookie file.

> 
> Any ideas?

Can one delete or edit messages with elog?  If yes then this should not be
possible.
  63   Tue Jul 9 10:58:18 2002 Reply Stefan Rittstefan.ritt@psi.chComment  Re: elog submit without user and password
> With elog it is possible to submit messages to a password protected
> logbook without specifying the -u option.  I.e. NO PASSWORD is
> necessary to submit a message.  I assume it is related to the problem
> of expiring password-cookies while entering the message using a web
> browser.

Indeed this problem is related to the expiring password cookies. As a 
reminder: For the submission of a new entry, the password is checked when one 
presses the "New" button, but NOT for the "submit". This is because a 
password can expire between the "New" and the "Submit", so a entered message 
could not be sent. The question is now what to do with the standalone "elog".

Right now, elog does a normal submission where the password is not checked, 
which is maybe not what one wants. But what to do? If elog sends a special 
flag "please do check password on submit", someone could analyze the source 
code, remove the flag from elog and then still submit messages without a 
password. If I put an additional flag to the web browser submission "please 
do not check the password since the cookie might have been expired", someone 
can add this flag into elog and still bypass the password checking.

Anothe thing which bothers me is if you specify the password explicitly on 
the command line of elog, it's visible in some scripts etc, which yould be a 
security issue as well.

Any ideas?
  62   Tue Jul 9 09:33:47 2002 Reply Stefan Rittstefan.ritt@psi.chBug fix  Re: Compiling elog 2.0.4 on Solaris
> Comiling elogd 2.0.4 under Solaris obviously fails with
> 
> gcc  -o elog elog.c -lsocket -lnsl
> gcc  -o elogd elogd.c -lsocket -lnsl
> elogd.c: In function `ss_file_find':
> elogd.c:1372: `alphasort' undeclared (first use in this function)
> elogd.c:1372: (Each undeclared identifier is reported only once
> elogd.c:1372: for each function it appears in.)
> make: *** [elogd] Error 1
> 
> because alphasort is an ucb'ism which does not exist under SYSV
> 
> ... not very portable :-(

I was not aware of this. Actually, I don't need 'alphasort' so I removed it 
from the source. The update is at

http://midas.psi.ch/cgi-bin/cvsweb/elog/elogd.c

Please give it a try.
  61   Tue Jul 9 09:25:41 2002 Reply Stefan Rittstefan.ritt@psi.chInfo  Re: problem saving elogd.cfg
> In version 2.0.4 of eLog I was having some problems with saving my 
> configuration file once I edited it on the web using the config. command.
> I keep getting the message "Cannot open file %s: elogd.cfg".  I made sure 
> the file was in the right directory.  I dont know if I am doing something 
> wrong or if its a bug?

The error display is certainly wrong. I fixed that and you can download the 
updated version at 

http://midas.psi.ch/cgi-bin/cvsweb/elog/elogd.c

As for the error, you should check the file permissions. If you run the 
daemon under a user which has no write access to the directory or file, you 
would get the described error.
  60   Tue Jul 9 09:18:05 2002 Reply Stefan Rittstefan.ritt@psi.chInfo  Re: Where can I get more information on the config file
> Where can I get more information about the config and themes file. I
> downloaded the latest version (2.0.4) and the config file docs seem out of
> date. I would like to get the icons working as well as getting the email 
to
> work. The demo page at the elog home site shows both but I cannot find ant
> references to the icons.

Oops, I forgot the "IOptions" statement to documentation. Please see the 
updated version at

http://midas.psi.ch/elog/config.html

look for "IOptions". For the Email notification see the whole 
section "Email 
notification" near the bottom of the page.
  59   Mon Jul 8 22:50:16 2002 Question Scott Fenstermacherdsfens@wm.eduQuestion  Where can I get more information on the config file
Where can I get more information about the config and themes file. I
downloaded the latest version (2.0.4) and the config file docs seem out of
date. I would like to get the icons working as well as getting the email to
work. The demo page at the elog home site shows both but I cannot find ant
references to the icons.
  58   Mon Jul 8 21:01:00 2002 Question Christian KorschanChristian.Korschan@CTBTO.ORGBug report  Compiling elog 2.0.4 on Solaris
Comiling elogd 2.0.4 under Solaris obviously fails with

gcc  -o elog elog.c -lsocket -lnsl
gcc  -o elogd elogd.c -lsocket -lnsl
elogd.c: In function `ss_file_find':
elogd.c:1372: `alphasort' undeclared (first use in this function)
elogd.c:1372: (Each undeclared identifier is reported only once
elogd.c:1372: for each function it appears in.)
make: *** [elogd] Error 1

because alphasort is an ucb'ism which does not exist under SYSV

... not very portable :-(
ELOG V3.1.5-3fb85fa6