> No luck.  I have the proxy definition in my httpd.conf file.  I have the URL parameter
> in my elogd.cfg file.

Can you show me the proxy definition? I hope you don't treat elogd as a CGI script...

> > I am trying to run eLog under Apache 2 on my FreeBSD 5.3 server.  I started
> > the daemon with "elogd -n <my hostname> -p 8080" and when I connect to my
> > server on that port, I get a 500 server configuration error.  The Apache log
> > contains this:
> > 
> > malformed header from script. Bad header=Please specify hostname.: elog
> 
> - make sure your proxy definition in httpd.conf is correct and it uses port 8080
> - start elogd with the "-v" flag to see the communication between Apache and elogd
> - maybe you might need an "URL = http://<my hostname>/<elog dir>/" in the config
> file

No luck.  I have the proxy definition in my httpd.conf file.  I have the URL parameter
in my elogd.cfg file.

Here is the command line I am using to start the daemon:

elogd -v -D -n <myhost> -p 8080 -l <myhost>/cgi-bin/elog/logbooks -c
/usr/local/server/apache/cgi-bin/elog/elogd.cfg

With the -v argument, here are the messages I get in /var/log/messages:

elogd 2.5.7-1 built Feb 14 2005, 09:55:19 
Feb 14 14:38:28 onion elogd[34579]: revision 1.558
Feb 14 14:38:28 onion elogd[34579]: Config file  :
/usr/local/server/apache/cgi-bin/elog/elogd.cfg
Feb 14 14:38:28 onion elogd[34579]: Resource dir : /usr/local/server/apache/cgi-bin/elog/
Feb 14 14:38:28 onion elogd[34579]: Logbook dir  :
/usr/local/server/apache/cgi-bin/elog/logbooks/
Feb 14 14:38:28 onion elogd[34579]: Falling back to default group "elog"
Feb 14 14:38:28 onion elogd[34579]: Group "elog" not found
Feb 14 14:38:28 onion elogd[34579]: Falling back to default group "nogroup"
Feb 14 14:38:28 onion elogd[34579]: Falling back to default user "elog"
Feb 14 14:38:28 onion elogd[34579]: User "elog" not found
Feb 14 14:38:28 onion elogd[34579]: Falling back to default user "nobody"
Feb 14 14:38:28 onion elogd[34579]: Indexing logbook "demo" ... 
Feb 14 14:38:28 onion elogd[34579]: 
Feb 14 14:38:28 onion elogd[34579]:   ID   1, 011108a.log, ofs     0, thead, MD5=
Feb 14 14:38:28 onion elogd[34579]: E4
Feb 14 14:38:28 onion elogd[34579]: 25
Feb 14 14:38:28 onion elogd[34579]: 4C
Feb 14 14:38:28 onion elogd[34579]: B8
Feb 14 14:38:28 onion elogd[34579]: AD
Feb 14 14:38:28 onion elogd[34579]: 4E
Feb 14 14:38:28 onion elogd[34579]: 88
Feb 14 14:38:28 onion elogd[34579]: 68
Feb 14 14:38:28 onion elogd[34579]: 08
Feb 14 14:38:28 onion elogd[34579]: 91
Feb 14 14:38:28 onion elogd[34579]: C9
Feb 14 14:38:28 onion elogd[34579]: 4D
Feb 14 14:38:28 onion elogd[34579]: 1E
Feb 14 14:38:28 onion elogd[34579]: B7
Feb 14 14:38:28 onion elogd[34579]: CB
Feb 14 14:38:28 onion elogd[34579]: C3
Feb 14 14:38:28 onion elogd[34579]: 
Feb 14 14:38:28 onion elogd[34579]: After sort:
Feb 14 14:38:28 onion elogd[34579]:   ID   1, 011108a.log, ofs     0
Feb 14 14:38:28 onion elogd[34579]: ok
Feb 14 14:38:28 onion elogd[34579]: Server listening on port 8080 ...

I am still getting the exact same error in my Apache log.

Any more ideas?

-Erich-

> I am trying to run eLog under Apache 2 on my FreeBSD 5.3 server.  I started
> the daemon with "elogd -n <my hostname> -p 8080" and when I connect to my
> server on that port, I get a 500 server configuration error.  The Apache log
> contains this:
> 
> malformed header from script. Bad header=Please specify hostname.: elog

- make sure your proxy definition in httpd.conf is correct and it uses port 8080
- start elogd with the "-v" flag to see the communication between Apache and elogd
- maybe you might need an "URL = http://<my hostname>/<elog dir>/" in the config
file

Attention to Debian users;

I've prepared the fixed package and also contacted to Debian Security Team for
an urgent security upload.  Since then you may wish to update your package from
the following URL:

  http://l10n-turkish.alioth.debian.org/debian/elog_2.5.7+r1558-1_i386.deb

Or you can also make an update via apt-get by adding the below line to your
'/etc/apt/sources.list' file:

  deb http://l10n-turkish.alioth.debian.org/debian/ ./

> The second vulnerability had to do with write passwords. If you put a "write
> password = xxx" statement into your config file, it was still possible to
> download the config file with a special hand-written URL, and decode the
> write password, which is usually only base-64 encoded unless you haven't
> compiled elog with the -DHAVE_CRYPT flag.

FYI, Debian package has already been compiled with this flag.

 -- Recai Oktas, Maintainer of Debian package

I am trying to run eLog under Apache 2 on my FreeBSD 5.3 server.  I started
the daemon with "elogd -n <my hostname> -p 8080" and when I connect to my
server on that port, I get a 500 server configuration error.  The Apache log
contains this:

malformed header from script. Bad header=Please specify hostname.: elog

I am running elogd 2.5.7-1 built Feb 14 2005, 09:55:19 revision 1.558

Any assistance would be greatly appreciated!

-Erich-

Dear ELOG users,

It has been brought to my attention that ELOG has a vulnerability through
which one can obtain a remote shell (meaning to log in to your machine
through elog). There is even an exploit available which demonstrates that
both for linux and windows.

This is a severe security problem for all logooks which can be seen from
outside, even if they have password protection on. I strongly recommened to
upgrade to elog version 2.5.7 as soon as possible if you run a public elog
server.

Here is some explanation for the technically interested:

The problem arises from a strcpy() in the decode_post() routine, which
triggers a buffer overflow when attachment file names longer than 256
characters are submitted. I replaced (hopefully) all strcpy() with strlcpy()
to fix this problem, but if someone sees a location which I have missed,
please tell me.

The second vulnerability had to do with write passwords. If you put a "write
password = xxx" statement into your config file, it was still possible to
download the config file with a special hand-written URL, and decode the
write password, which is usually only base-64 encoded unless you haven't
compiled elog with the -DHAVE_CRYPT flag. I have changed that so if a write
password is present, the download is only possible when this password is
submitted in each request. If this has some effects on synchronizing of
logbooks, please let me know.

Stefan Ritt

> I am trying to use the command line utility elog. Some of the attributes 
> that I have setup are multiple options. When I run the command line 
> utility to create a new message, any attribute that is setup with multiple 
> options will not be filled in. The syntax I am using is as  follows:
> 
> elog -h localhost -p 8080 -l Lab -a "Site=xxxx" -a "Area=System" -
> a "Priority=Low" -a "Shift=1" -a "Status=Open" -m text.txt
> 
> Site and Area are defined in the config file as MOptions. Is there a way 
> to use this feature with multiple options on attributes with the 
> attributes = to one or more variables?

For MOptions, you have to append an "_n" to each attribute to distinguish
different options for the same attribute, like

elog -h localhost -p 8080 -l Lab -a "Site_0=Home" -a "Site_1=Work" ...

Even if you only use one attribute, the trailing "..._0" is necessary. I will
add a note to the documentation.

> For me, when I put the Category in the fixed attributes for reply, I see the
> Category but when I actually try to send the message - it says Category not
> entered. I am sure I am doing something very stupid. Please help.

No, it was a bug, which I could reproduce now. I fixed it in revision 1.554. It will
be contained in the next release.