Re: elogd -C failing to sync password file with "Received invalid response from elogd server" message, posted by John Rouillard on Mon May 17 04:01:16 2010
|
| Stefan Ritt wrote: | Hi Rouilj,
re-posting your bug report doe not help. If I'm not replying immediately it means I'm pretty busy with other things, so just be patient.
|
Fair enough. I just saw posts after mine being responded to and I wasn't sure if my choice of icon
was causing it to be filtered out or not.
| Stefan Ritt wrote: |
Your problem is related to the reply from the server you posted. After you send
GET /Discussion/?cmd=GetPwdFile
you should get the login page, which starts with
HTTP/1.1 200 Document follows
....
<title>ELOG Login</title>
....
but you do get
HTTP/1.1 404 Not Found
....
The best thing to diagnose this problem is to run the server with the "-v" flag, so you don't have to run truss. Then compare the request sent by your cloning process (your GET /Discussion/?cmd=GetPwdFiel from above) and compare it if you send from your browser
http://host.example.org:8080/Discussion/?cmd=GetPwdFile
|
Using the url above from mozilla without being logged into the elogd server, elogd -v shows:
GET /Discussion/?cmd=GetPwdFile HTTP/1.1
Host: rouilj.dyndns.org:8080
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.3) Gecko/20100401 Firefox/3.6.3 (.NET CLR 3.5.30729)
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Connection: keep-alive
Cookie: elmode=Summary; urem=1
==== Return ================================
HTTP/1.1 404 Not Found
Server: ELOG HTTP 2.7.8-2278
Content-Type: text/html;charset=ISO-8859-1
Content-Length: 665
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html><head>
<META NAME="ROBOTS" CONTENT="NOINDEX, NOFOLLOW">
<title>ELOG error</title>
<link rel="stylesheet" type="text/css" href="default.css">
</head>
<body><center>
<table class="dlgframe" width="50%" cellpadding="1" cellspacing="0"<tr><td class="errormsg">Error: Command "<b>GetPwdFile</b>" not allowed</td></tr>
<tr><td class="errormsg"><script language="javascript" type="text/javascript">
document.write("<button type=button onClick=history.back()>Back</button>");
</script>
<noscript>
Please use your browser's back button to go back
</noscript>
</td></tr>
</table>
</center></body></html>
It looks like it's not redirecting to the login page and returning a 404 instead.
If I log in and submit the same URL, it displays the password file as expected.
I think I kind of see what's happening here. In is_command_allowed you add the GetPwdFile to the list of
allowed command but only if is_admin_user is true. Since the user is guest at that point, I assume
is_admin_user returns false making is_command_allowed return false. Then the redirect is attempted by this
code sequence:
if (!is_command_allowed(lbs, command)) {
/* redirect to login page for new command */
if (strieq(command, loc("New")) && !isparam("unm")) {
check_user_password(lbs, "", "", _cmdline);
return;
}
but to me that looks like it will execute only if the command contains the word new
(or it's translated equivalent if I understand loc() properly)?? Since the command string
GetPwdFile doesn't match no login screen is presented by check_user_password.
| Stefan Ritt wrote: |
now without sending any cookies. Maybe you can figure out why the server replies with a 404 instead of a 200 when run from the cloning process. Try a very simple elogd.cfg on your sever side, just the basic thing with a "Password file = ..." setting. Do you have any blanks in your logbook name? Are you using Apache as a proxy?
Anyhow, if this does not work for you, just copy your password file manually as you did already. The rest should then work fine for you.
- Stefan |
No apache in the mix (although I may be adding it in the future), no blanks in the
logbook names.
-- rouilj |
Re: elogd -C failing to sync password file with "Received invalid response from elogd server" message, posted by John Rouillard on Mon May 17 04:19:29 2010 
|
| John Rouillard wrote: |
I think I kind of see what's happening here. In is_command_allowed you add the GetPwdFile to the list of
allowed command but only if is_admin_user is true. Since the user is guest at that point, I assume
is_admin_user returns false making is_command_allowed return false. Then the redirect is attempted by this
code sequence:
if (!is_command_allowed(lbs, command)) {
/* redirect to login page for new command */
if (strieq(command, loc("New")) && !isparam("unm")) {
check_user_password(lbs, "", "", _cmdline);
return;
}
but to me that looks like it will execute only if the command contains the word new
(or it's translated equivalent if I understand loc() properly)?? Since the command string
GetPwdFile doesn't match no login screen is presented by check_user_password.
|
The attached patch (also included inline) seems to fix the problem. I am sure it can be done more cleanly but...
--- elogd.c~ 2009-12-02 05:53:44.000000000 -0500
+++ elogd.c 2010-05-16 21:58:14.000000000 -0400
@@ -26236,6 +26236,10 @@
check_user_password(lbs, "", "", _cmdline);
return;
}
+ if (strieq(command, loc("GetPwdFile")) && !isparam("unm")) {
+ check_user_password(lbs, "", "", _cmdline);
+ return;
+ }
strencode2(str2, command, sizeof(str3));
sprintf(str, loc("Error: Command \"<b>%s</b>\" not allowed"), str2);
-- rouilj |
|
Re: elogd -C failing to sync password file with "Received invalid response from elogd server" message, posted by John Rouillard on Tue May 18 21:17:35 2010
|
| Stefan Ritt wrote: |
Ok, now I got it! The problem was that you used "Guest menu commands = ..." and I did not. So the behavior is different with that option, which is why I could not reproduce your problem initially. Now I could reproduce it and the cleanest fix is this:
--- elogd.c (revision 2294)
+++ elogd.c (working copy)
@@ -15704,7 +15704,7 @@
fgets(pwd, sizeof(pwd), stdin);
while (pwd[strlen(pwd) - 1] == '\n' || pwd[strlen(pwd) - 1] == '\r')
pwd[strlen(pwd) - 1] = 0;
- } else if (status != 200 && status != 302) {
+ } else if (status != 200 && status != 302 && status != 404) {
xfree(buffer);
*strchr(str, '?') = 0;
which is just accept the 404 response and not abort the cloning process. |
Yup. My settings are:
Guest menu commands = List, Last 10, Find, Login, Help
Guest List Menu commands = List, Last 10, Find, Login, Help
Ok, so this patch fixes the problem on the client side (rather than the server side like my patch) of the
cloning process. I can't tell from the patch above but will this fix allow the cloning process to "complete"
but without the password file being copied, or does code outside the patched section try to login and get
the password file?
-- rouilj |
|
Re: elogd -C failing to sync password file with "Received invalid response from elogd server" message, posted by John Rouillard on Thu May 20 03:37:59 2010
|
| Stefan Ritt wrote: |
| John Rouillard wrote: | Ok, so this patch fixes the problem on the client side (rather than the server side like my patch) of the
cloning process. I can't tell from the patch above but will this fix allow the cloning process to "complete"
but without the password file being copied, or does code outside the patched section try to login and get
the password file? |
Well, why don't you give it a try and let me know if the is any problem left? |
Sorry to report that it fails same as originally with:
Received invalid response from elogd server at http://example.org:8080/Discussion/
However there was a fuzz of 12 lines when I applied the patch, but I think it got the right line.
-- rouilj |
|
Re: elogd -C failing to sync password file with "Received invalid response from elogd server" message, posted by John Rouillard on Sat Jun 12 05:55:39 2010
|
I pulled svn revision 2299 from svn and built it on both server and client side. It is working
properly now.
Thanks for the patch.
-- rouilj |
http://midas.psi.ch/elog/download/windows/ doesn't have the latest 2.90 release, posted by John Rouillard on Mon Mar 21 02:40:31 2011
|
It looks like the newest windows release of elog at
http://midas.psi.ch/elog/download/windows/ is 2.81.
elog281-1.exe 23-Dec-2010 11:42 3.1M
elog-latest.exe 23-Dec-2010 11:42 3.1M
Can you post the 2.90 release.
Thanks.
-- rouilj |
Elog 2.9.0 buffer overflow crash bug ubuntu linux, posted by John Rouillard on Sun Apr 10 01:49:01 2011
|
When running openvas (a nessus fork) against elog 2.9.0 I provoked the following crash:
Apr 9 17:32:06 unixland elogd[1300]: POST / HTTP/1.0#015#012Host: unixland.home
#015#012Content-Length: -800#015#012#015#012XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
Apr 9 17:32:06 unixland kernel: [664894.491242] elogd[1300]: segfault at b7713d
2e ip 080b6956 sp bf8d5ea0 error 4 in elogd[8048000+96000]
openvas reports that it was testing for CVE-2002-1212 when the crash occurred.
Startup info:
Apr 9 19:35:54 unixland elogd[21584]: elogd 2.9.0 built Apr 9 2011, 17:49:08
Apr 9 19:35:54 unixland elogd[21584]: revision 2411
-- rouilj |
|
Re: dependencies lib, posted by John P. Huber on Mon Aug 3 22:13:16 2015
|
Can you provide simliar guidance for Scientific Linux release 6.6 (Carbon, 64 bit version) as I get the "failed dependencies" after installing
openssl-devel package and I tried linking /usr/lib64/libssl.so.1.0.1e as libssl.so.6 in both /lib and /usr/lib ? -jph
| Stefan Ritt wrote: |
|
If you Google for "libssl.so.6 is needed", you will find for example this site: http://ubuntuforums.org/showthread.php?t=2096126 , which tells you to install the libssl-dev package.
| alireza wrote: |
|
Hi,I'm new here :) and want to install elog on linux suse. could you please tell me, how can I find this following lib dependency.
linuxsuse#rpm -i elogi386.rpm
error: Failed dependencies:
libssl.so.6 is needed by elog-3.1.0-2.i386
Thanks in Advance
|
|
|
|