Demo Discussion
Forum Config Examples Contributions Vulnerabilities
  Discussion forum about ELOG, Page 375 of 808  Not logged in ELOG logo
 Find |  Login |  Help 
 Full | Summary | Threaded | Hide attachments  Show only new entries    6457 Entries 
Goto page Previous  1, 2, 3 ... 374, 375, 376 ... 806, 807, 808   Next  
ID Date Icon Author Author Email Category OS ELOG Version Subjectdown
  67792   Fri Jan 30 09:30:35 2015 Reply Stefan Rittstefan.ritt@psi.chQuestionWindows3.0.0Re: Permission on reply

You can use the switches

Alloe reply = <user list>

Deny reply = <user list>

to give only certain uses the right to use that command.

/Stefan

Banata Wachid Ridwan wrote:

is it possible to set reply only for certain member?

all members can submit lobook, but only certain member can make reply on it

thanx for help and so sorry if I have too many question :D

 

  67802   Wed Feb 4 09:48:32 2015 Reply Banata Wachid Ridwanjogjacard@yahoo.comQuestionWindows3.0.0Re: Permission on reply

so let say I just want to add certain members for replying logbook, so I just need to add parameter Allow reply = <user list>

and automatically all members not listed will be forbidden, am I correct?

I dont need to specify members for "Deny Reply" right ?

Stefan Ritt wrote:

You can use the switches

Alloe reply = <user list>

Deny reply = <user list>

to give only certain uses the right to use that command.

/Stefan

Banata Wachid Ridwan wrote:

is it possible to set reply only for certain member?

all members can submit lobook, but only certain member can make reply on it

thanx for help and so sorry if I have too many question :D

 

 

  67803   Wed Feb 4 10:33:16 2015 Reply David PilgramDavid.Pilgram@epost.org.ukQuestionWindows3.0.0Re: Permission on reply

Hi Banata,

If you only have a few people who can reply, then use

Allow reply = <user list>

and no need to produce a "Deny reply" list.

If most people are able to reply, but a few are *not* allowed to reply - bad behaviour or whatever - then the Deny reply list is more appropriate, and no need to generate an "Allow reply" userlist.

David.

Banata Wachid Ridwan wrote:

so let say I just want to add certain members for replying logbook, so I just need to add parameter Allow reply = <user list>

and automatically all members not listed will be forbidden, am I correct?

I dont need to specify members for "Deny Reply" right ?

Stefan Ritt wrote:

You can use the switches

Alloe reply = <user list>

Deny reply = <user list>

to give only certain uses the right to use that command.

/Stefan

Banata Wachid Ridwan wrote:

is it possible to set reply only for certain member?

all members can submit lobook, but only certain member can make reply on it

thanx for help and so sorry if I have too many question :D

 

 

 

  67287   Tue Jun 12 10:38:34 2012 Reply Roland Gsellroland.gsell@oeaw.ac.atQuestionLinux2.9.1-2435Re: Periodic backup doesn't work ..

The synchronize feature is totally worthless to me.

First of all the automatic backup doesn't work - and nobody seems to know why - and pressing the synchronize button by hand from time to time also doesn't work if the entry is too big:

Error sending local entry: Error transmitting message

 

So, copying the files manually helps, but for this I don't need a "fancy" synchronize feature.

  67992   Wed Jun 10 09:12:06 2015 Reply Stefan Rittstefan.ritt@psi.chBug reportLinux3.10.2Re: Path disclosure on unfound file

What URL did you use? If I try here on this forum I get:

which looks fine to me.

 

Bruce Bush wrote:

Greetings,

  Running elog 3.1.0 on CentOS 6.6.  When I try to access a nonexistent file, elog reveals a path in the 404 page.  For example:

Not Found

The requested file /usr/local/elog/themes/default/blortblortblort7854.htm was not found on this server

ELOG version 3.1.0
 
  Is there any way to use a custom 404 page with elog, or to make it stop displaying the file information?
 
Thank you,
bb
 
 

 

 

  68652   Fri Aug 18 01:02:41 2017 Reply Travis Unkeltravisunkel@gmail.comBug reportLinux3.1.3Re: Path disclosure on unfound file

I am having the same issue. If you go to midas.psi.ch/elogs/12345.htm you get the path disclosure issue.

 

Stefan Ritt wrote:

What URL did you use? If I try here on this forum I get:

which looks fine to me.

 

Bruce Bush wrote:

Greetings,

  Running elog 3.1.0 on CentOS 6.6.  When I try to access a nonexistent file, elog reveals a path in the 404 page.  For example:

Not Found

The requested file /usr/local/elog/themes/default/blortblortblort7854.htm was not found on this server

ELOG version 3.1.0
 
  Is there any way to use a custom 404 page with elog, or to make it stop displaying the file information?
 
Thank you,
bb
 
 

 

 

 

  69285   Thu Dec 31 18:35:19 2020 Reply prinnydoodmoltensolderlabs@pm.meBug reportLinux3.1.3Re: Path disclosure on unfound file

I can confirm this issue exists on version 3.1.3, which I have installed elog on Debian 10.

The issue also exists on version 3.14 (1.20190113git283534d97d5a.el7), which I tested on an AmazonLinux EC2 instance.

This is what I found:

1. if I leave out the extension at the end of the URL for a non-existent page, it gives me the red error box. So far so good... Example: /gibberish

2. if I include any random extension at the end of the URL for a non-existent page, it gives me the red error box. So far so good... Example: /gibberish.php or /gibberish.htm or /gibberish.asdfasd

3. if I include any .html extension specifically at the end of the URL for a non-existent page, elog exposes the path /usr/share/elog/themes/default/gibberish.html. This is a bug... Example: /gibberish.html exposes the path, and likewise, /.gibberish.html ( "dot" + gibberish) exposes the path

4. if I include a valid, existent .html file which is located in the directory /usr/share/elog/themes/default/, and call it, elog exposes the html document. Example: I created an html file called gibberish.html (containing <html><body><p>Hello world</p></body></html>) in my system's /usr/share/elog/themes/default/ directory. After navigating back to the /gibberish.html URL, I was presented with the HTML file.

Turning on -v (verbose mode), the response by elogd when accessing these are: "GET /elog/gibberish.html HTTP/1.0 Returned 605 bytes" (displays "Hello world" html file), and "GET /elog/gibberish.asdfasd HTTP/1.0 Returned 605 bytes" (displays red error box).

=====

My guess: the program seems to be caring about the files ONLY if they have html file extension. Please see the screenshots below.

====

What are the security implications? Not much, I think. From what I can tell, exposing the "/usr/share/themes/elog" path, and also exposing the elog version when the file does not exist. Hope this reply helps anyone else with the same question.

(I am sure the error exposing the version can be removed by editing the source code--this is probably beyond my capabilities at this point).

Attachment 1: no_extension.png
no_extension.png
Attachment 2: nonexistent_html.png
nonexistent_html.png
Attachment 3: random_extension.png
random_extension.png
Attachment 4: valid_html_file_with_html_extension.png
valid_html_file_with_html_extension.png
  69288   Fri Jan 8 13:47:14 2021 Reply Stefan Rittstefan.ritt@psi.chBug reportLinux3.1.3Re: Path disclosure on unfound file

Ok, I fixed the code in the current commit (395e101add19f0fe8a11a25d0822e511f34d94d1). The path gets stripped, and we see a

prinnydood wrote:

I can confirm this issue exists on version 3.1.3, which I have installed elog on Debian 10.

The issue also exists on version 3.14 (1.20190113git283534d97d5a.el7), which I tested on an AmazonLinux EC2 instance.

This is what I found:

1. if I leave out the extension at the end of the URL for a non-existent page, it gives me the red error box. So far so good... Example: /gibberish

2. if I include any random extension at the end of the URL for a non-existent page, it gives me the red error box. So far so good... Example: /gibberish.php or /gibberish.htm or /gibberish.asdfasd

3. if I include any .html extension specifically at the end of the URL for a non-existent page, elog exposes the path /usr/share/elog/themes/default/gibberish.html. This is a bug... Example: /gibberish.html exposes the path, and likewise, /.gibberish.html ( "dot" + gibberish) exposes the path

4. if I include a valid, existent .html file which is located in the directory /usr/share/elog/themes/default/, and call it, elog exposes the html document. Example: I created an html file called gibberish.html (containing <html><body><p>Hello world</p></body></html>) in my system's /usr/share/elog/themes/default/ directory. After navigating back to the /gibberish.html URL, I was presented with the HTML file.

Turning on -v (verbose mode), the response by elogd when accessing these are: "GET /elog/gibberish.html HTTP/1.0 Returned 605 bytes" (displays "Hello world" html file), and "GET /elog/gibberish.asdfasd HTTP/1.0 Returned 605 bytes" (displays red error box).

=====

My guess: the program seems to be caring about the files ONLY if they have html file extension. Please see the screenshots below.

====

What are the security implications? Not much, I think. From what I can tell, exposing the "/usr/share/themes/elog" path, and also exposing the elog version when the file does not exist. Hope this reply helps anyone else with the same question.

(I am sure the error exposing the version can be removed by editing the source code--this is probably beyond my capabilities at this point).

 

Goto page Previous  1, 2, 3 ... 374, 375, 376 ... 806, 807, 808   Next  
ELOG V3.1.5-3fb85fa6