> the following should do the job:
> 
> <div style="width: 200px">
> <img src="IMG_3133.jpg" style="width: 100%" />
> </div>
> 
> the configurable parameter should be with obviously :-)

Unfortunately not. Please find attached the screen dump from such a try, together with the HTML code.
As you can see, the little elog icon is stretched to the same width as the upper (large) picture.

Dear ELOG users,

It has been brought to my attention that ELOG has a vulnerability through
which one can obtain a remote shell (meaning to log in to your machine
through elog). There is even an exploit available which demonstrates that
both for linux and windows.

This is a severe security problem for all logooks which can be seen from
outside, even if they have password protection on. I strongly recommened to
upgrade to elog version 2.5.7 as soon as possible if you run a public elog
server.

Here is some explanation for the technically interested:

The problem arises from a strcpy() in the decode_post() routine, which
triggers a buffer overflow when attachment file names longer than 256
characters are submitted. I replaced (hopefully) all strcpy() with strlcpy()
to fix this problem, but if someone sees a location which I have missed,
please tell me.

The second vulnerability had to do with write passwords. If you put a "write
password = xxx" statement into your config file, it was still possible to
download the config file with a special hand-written URL, and decode the
write password, which is usually only base-64 encoded unless you haven't
compiled elog with the -DHAVE_CRYPT flag. I have changed that so if a write
password is present, the download is only possible when this password is
submitted in each request. If this has some effects on synchronizing of
logbooks, please let me know.

Stefan Ritt

Attention to Debian users;

I've prepared the fixed package and also contacted to Debian Security Team for
an urgent security upload.  Since then you may wish to update your package from
the following URL:

  http://l10n-turkish.alioth.debian.org/debian/elog_2.5.7+r1558-1_i386.deb

Or you can also make an update via apt-get by adding the below line to your
'/etc/apt/sources.list' file:

  deb http://l10n-turkish.alioth.debian.org/debian/ ./

> The second vulnerability had to do with write passwords. If you put a "write
> password = xxx" statement into your config file, it was still possible to
> download the config file with a special hand-written URL, and decode the
> write password, which is usually only base-64 encoded unless you haven't
> compiled elog with the -DHAVE_CRYPT flag.

FYI, Debian package has already been compiled with this flag.

 -- Recai Oktas, Maintainer of Debian package

If you have a space in a logbook name and you enable password list, then 
the "List" menu option forces you to the login page each time.
The URL says "aaa+bbb", but when you do not have passwords enabled, the 
URL is "aaa bbb"

> > > as this url shows http://www.htmlhelp.com/tools/validator/problems.html#amp
> > 

> > > it should be used an HTML entity instead of the ampersand sign.<p>
> > 
> > Can you please be a bit more specific? In which URL should the ampersand be
> > replaced?
> 
> uhmm...
> 
> http://midas.psi.ch/elogs/Forum/page2?mode=threaded&expand=0&last=7
> 
> the bug is also a "documentation bug", infact similar tricks are also
> in FAQs (FAQ 5 for example)
> 
> I tried to substitute avery occurrence of hard coded "&" with "&amp;" but it does
> not do the job at all ... infact the first time the HTML code is ok, but
> following a link let the browser to automatically decode html entities .. and
> everything turns wrong again ... maybe the encoding should be done in
> printing-to-the-browser-time ..

BTW, the current url (taht should be perfectly well formed makes the elog not to
display attachments ... so may be thare is a problema in the query string decoding
routine ...

http://somehost.it:8080/LBNAME/?mode=full&amp;attach=1

> > > as this url shows http://www.htmlhelp.com/tools/validator/problems.html#amp
> > 

> > > it should be used an HTML entity instead of the ampersand sign.<p>
> > 
> > Can you please be a bit more specific? In which URL should the ampersand be
> > replaced?
> 
> uhmm...
> 
> http://midas.psi.ch/elogs/Forum/page2?mode=threaded&expand=0&last=7
> 
> the bug is also a "documentation bug", infact similar tricks are also
> in FAQs (FAQ 5 for example)
> 
> I tried to substitute avery occurrence of hard coded "&" with "&amp;" but it does
> not do the job at all ... infact the first time the HTML code is ok, but
> following a link let the browser to automatically decode html entities .. and
> everything turns wrong again ... maybe the encoding should be done in
> printing-to-the-browser-time ..

BTW, the current url (taht should be perfectly well formed makes the elog not to
display attachments ... so may be thare is a problema in the query string decoding
routine ...

http://somehost.it:8080/LBNAME/?mode=full&amp;attach=1

Hi all,

I'm trying to use the command-line client from linux, but I can't make it work and that's driving me nuts...

What I want is to reply to a selected message in the logbook, but I stumble onto two problems:

1. There is a read password ("Read Password=..." entry in elogd.cfg)on the logbook which I cannot bypass from the client. Specifying the switch -u "" password on the command line has no effect, and neither does -w password. The error message I get is included at the bottom of this message. If I disable the read password, I get past the authentication.
2. There is a required attribute called "Publiek", and it's defined as MOptions. Whenever I try to upload, I keep getting the message that it misses this attribute. I tried the switch -a Publiek=Anders, -a "Publiek=Anders", -a Publiek_0=Anders, -a "Publiek_0=Anders" -a "Publiek_1=Onbekend, -a Publiek=1 on the beginning, end, and middle of the command, but the results are the same. Both "Anders" and "Onbekend" are in the MOptions list (including capitals).

For completeness, here's (one variety) of my command line:

elog -a "Publiek=1" -h localhost -p 8181 -l Artikelen -v -r 80

The obvious question is if anybody knows what I'm doing wrong. Any help is greatly appreciated.

Pieter

Successfully connected to host localhost,
port 8181
Request sent to host:
GET /Artikelen/80?cmd=download HTTP/1.0
Host: pde.dyndns.org
User-Agent: ELOG
Cookie: upwd=bWFOZGFyaWpO;

Response received:
HTTP/1.1 401 Authorization Required
Server: ELOG HTTP 2.5.7-1
WWW-Authenticate: Basic realm="Artikelen"
Connection: close
Content-Type: text/html

<HTML><HEAD>
<TITLE>401 Authorization Required</TITLE>
</HEAD><BODY>
<H1>Authorization Required</H1>
This server could not verify that you
are authorized to access the document
requested. Either you supplied the wrong
credentials (e.g., bad password), or your
browser doesn't understand how to supply
the credentials required.

</BODY></HTML>

Error transmitting message

Successfully connected to host localhost, port 8181
Request sent to host:
POST /Artikelen/ HTTP/1.0
Content-Type: multipart/form-data; boundary=---------------------------75ABFDB1E
CB47273B853CE0
Host: pde.dyndns.org
User-Agent: ELOG
Content-Length: 3651


Content sent to host.
Response received:
HTTP/1.1 200 Document follows
Server: ELOG HTTP 2.5.7-1
Content-Type: text/html;charset=ISO-8859-1
Connection: Keep-Alive
Keep-Alive: timeout=60, max=10

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html><head><title>ELOG error</title>
<link rel="stylesheet" type="text/css" href="default.css">
<link rel="shortcut icon" href="favicon.ico">
<link rel="icon" href="favicon.png" type="image/png">
</head>
<body><center>
<table class="dlgframe" width="50%" cellpadding=1 cellspacing=0<tr><td
class="er
rormsg"><i>Error: Attribute <b>Publiek</b> not
supplied.</i><p>
Please go back and enter the <b>Publiek</b> field.
</td></tr>
<tr><td class="errormsg">Please use your browser's back button to go back
</td></tr>
</table>
</center></body></html>

Error: Missing required attribute "Publiek"

Hi to all,

I've prepared a new Debian package.  This version will probably be the one
which you'll find in Sarge/stable.

There are some invasive changes in this version which call for a serious
test.  In accordance with a suggestion, I've changed the configuration
mechanism.  For details, please read the NEWS.Debian file attached.

Could the Debian users who follow this forum test it and give some feedback?
You can download the package from the following link:

  http://l10n-turkish.alioth.debian.org/debian/elog_2.5.8+r1592-1_i386.deb

Thanks in advance for your participation,