Dear ELOG users,

It has been brought to my attention that ELOG has a vulnerability through
which one can obtain a remote shell (meaning to log in to your machine
through elog). There is even an exploit available which demonstrates that
both for linux and windows.

This is a severe security problem for all logooks which can be seen from
outside, even if they have password protection on. I strongly recommened to
upgrade to elog version 2.5.7 as soon as possible if you run a public elog
server.

Here is some explanation for the technically interested:

The problem arises from a strcpy() in the decode_post() routine, which
triggers a buffer overflow when attachment file names longer than 256
characters are submitted. I replaced (hopefully) all strcpy() with strlcpy()
to fix this problem, but if someone sees a location which I have missed,
please tell me.

The second vulnerability had to do with write passwords. If you put a "write
password = xxx" statement into your config file, it was still possible to
download the config file with a special hand-written URL, and decode the
write password, which is usually only base-64 encoded unless you haven't
compiled elog with the -DHAVE_CRYPT flag. I have changed that so if a write
password is present, the download is only possible when this password is
submitted in each request. If this has some effects on synchronizing of
logbooks, please let me know.

Stefan Ritt

> I am trying to use the command line utility elog. Some of the attributes 
> that I have setup are multiple options. When I run the command line 
> utility to create a new message, any attribute that is setup with multiple 
> options will not be filled in. The syntax I am using is as  follows:
> 
> elog -h localhost -p 8080 -l Lab -a "Site=xxxx" -a "Area=System" -
> a "Priority=Low" -a "Shift=1" -a "Status=Open" -m text.txt
> 
> Site and Area are defined in the config file as MOptions. Is there a way 
> to use this feature with multiple options on attributes with the 
> attributes = to one or more variables?

For MOptions, you have to append an "_n" to each attribute to distinguish
different options for the same attribute, like

elog -h localhost -p 8080 -l Lab -a "Site_0=Home" -a "Site_1=Work" ...

Even if you only use one attribute, the trailing "..._0" is necessary. I will
add a note to the documentation.

> For me, when I put the Category in the fixed attributes for reply, I see the
> Category but when I actually try to send the message - it says Category not
> entered. I am sure I am doing something very stupid. Please help.

No, it was a bug, which I could reproduce now. I fixed it in revision 1.554. It will
be contained in the next release.

> > 1. When replying to another reply in a thread, the author_name attribute is
> > not substitued (as desired). Since this is a mandatory field, we are not
> > able to send the reply message. However, reply to the originial message
> > works fine.
> 
> Preset on reply Author = $long_name
> 
> Do not use "Remove on reply".

This worked. Thanks.

> 
> > 2. "Use Email From = string" prepends an additional "" to the "From"
> > field in the e-mails.
> 
> This has been fixed recently, please update.

Agani, thanks for the information.

> 
> > 3. "Fixed Attributes Reply = Subject" fixes the subject line while replying.
> > However when we add "Category" attribute to this list, it breaks.
> 
> I tried to use your config file and add
> 
> Fixed attributes reply = Subject, Category
> 
> and it worked as expected. What kind of "break" did you observe?

For me, when I put the Category in the fixed attributes for reply, I see the
Category but when I actually try to send the message - it says Category not
entered. I am sure I am doing something very stupid. Please help.

- Anand.

> 1. When replying to another reply in a thread, the author_name attribute is
> not substitued (as desired). Since this is a mandatory field, we are not
> able to send the reply message. However, reply to the originial message
> works fine.

Preset on reply Author = $long_name

Do not use "Remove on reply".

> 2. "Use Email From = string" prepends an additional "" to the "From"
> field in the e-mails.

This has been fixed recently, please update.

> 3. "Fixed Attributes Reply = Subject" fixes the subject line while replying.
> However when we add "Category" attribute to this list, it breaks.

I tried to use your config file and add

Fixed attributes reply = Subject, Category

and it worked as expected. What kind of "break" did you observe?

What you can try is to debug the communication between elogd and the SMTP
server. Just turn on logging via

Logfile = log.txt
Logging level = 3

After sending email, you see the conversation in log.txt. Maybe this gives you
some hints.

Are you sure that this does not stretch small images? Please see elog:931

> two new elog.conf parameters are defined:
> Attached image width          ; width of full view image attached
> Attached image width entry    ; width of attached image in the entry list view

I would rather go with a new class in the CSS file to contain this options, since I 
want to keep the number of options as small as possible.

> current version uses strstr() to check if the file has the expected ascii
> text extension ... this is buggy becouse this way a file named
> ".txt_hidden_file" or "foo.config.dat" are both seen as .txt files.

I added your routine chkext() to the code, but actually use it differently. I
display now ASCII files not by their extension, but the code checks for each file
to contain non-printable characters. If it contains all printable letters, and does
not have the extension PDF, PS or EPS, it's shown inline.