As we are currently fixing bugs and improving the performance we decided to
release another version of modlogan only 3 days after modlogan 0.7.11.
The Bugfixes in this release are addressed to all users of the 'splitby'
option, all the other users will get more speed, new features and a new
command-line-option which will affect all users.
Security warning:
-----------------
Before we start with the changes of this release we have to publish a
security warning for modlogan:
modlogan 0.5.0 to modlogan 0.7.11 are vulnerable to a symlink attack if and
only if
1. the splitby option of the processor_web plugin is used
2. the splitby was uses with a insecure regex
3. modlogan was run as root
If all options apply to your setup a local user can use a symlink-attack to
overwrite files which are owned by the user root.
Attack Scenario:
The splitby option is set to
split=srvhost,"(.+)",$1
the outputdirectory is set to /tmp/
outputdir = /usr/local/httpd/htdocs/www.site.de/reports/
for the splitting a logfile into reports per virtual host.
A attacker may submit a invalid hostname '../../../../../../tmp/evil-link'
by submiting the following command:
> GET / HTTP/1.0
> Host: ../../../../../../tmp/evil-link
This hostname would be logged by the web-server into the logfile and
modlogan would use this hostname as path-extenstion (subpath) for the
output-directory:
/usr/local/httpd/htdocs/www.site.de/reports/../../../../../../tmp/evil-link
which resolves to
/tmp/evil-link
which can be a symlink to /etc/passwd or whatever.
Major Changes:
--------------
- As a conclusion this bug has been addressed in multiple ways in this
release:
1. modlogan doesn't run as root by default (use the command-line switch
-r/--root to disable the root-check)
2. a subpath starting with '..' is forbidden
3. a subpath containing '/../' is forbidden
- the throughput value was calculated wrong. As the user-time is now used a
timebase the throughput value will drop dramaticly compared to previous
versions
- Some internal code-path where optimised which should make modlogan a lot
faster in the parsing section and the template plugin (10 - 20%)
New Configfile-options:
-----------------------
- [global] - show_available_config_options
- [output_template] - show_available_reports_and_die
Read more at
http://jan.kneschke.de/projects/modlogan/docs/before_startup.php
Minor Changes:
--------------
- the number of reports for the mail-server logs have been increased from 2
to 10 reports
- a configurarion wizzard will now help you to generate config-files for
modlogan -> modlogan-config (see below)
Who should updated:
-------------------
- Everyone, especially users of the splitby option.
New pages at jan.kneschke.de:
-----------------------------
http://jan.kneschke.de/projects/modlogan/docs/before_startup.php
http://jan.kneschke.de/projects/modlogan/docs/themes/
URLs:
-----
Sources:
http://jan.kneschke.de/projects/modlogan/download/modlogan-0.7.12.tar.gz
http://jan.kneschke.de/projects/modlogan/download/modlogan-0.7.12-1.src.rpm
Binaries:
http://jan.kneschke.de/projects/modlogan/download/modlogan-0.7.12-1.i386.rpm
Themes:
http://jan.kneschke.de/projects/modlogan/download/modlogan-themes-0.0.2.tar.gz
Configuration-Wizzard:
http://jan.kneschke.de/projects/modlogan/download/modlogan-config-0.0.1.tar.gz
Changelog:
----------
-- 04.01.2002 16:28
- glue code (global)
o added protection against .. attack against the splitter - ostborn
o saved some allocation/deallocations by using mrecord_reset() - ostborn
o modlogan doesn't want to run as root from now on - ostborn
o the throughput is now calculated by rec/user-time - ostborn
o added "show_available_config_options" option - ostborn
o saved some more allocations by using mrecord_move() - ostborn
- output
- template
o removed some unnessesary allocations and copies - ostborn
- small speed boost, less memory fragmentation, less memory usage
o added "show_available_reports_and_die" option - ostborn
o added 8 new mail reports - ostborn
- doc/etc
o added some menu-structs and report-defaults for the mail reports
- ostborn
- processor
- mail
o added a number-cruncher for the the virus informations and two for
the domain parts for the mail-addresses - ostborn