Your message dated Mon, 31 Jul 2006 23:21:24 +0200
with message-id <[EMAIL PROTECTED]>
and subject line Closing old bug report
has caused the attached Bug report to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what I am
talking about this indicates a serious mail system misconfiguration
somewhere. Please contact me immediately.)
Debian bug tracking system administrator
(administrator, Debian Bugs database)
--- Begin Message ---
Package: modlogan
Version: 0.7.12
certain strings (most probably buffer overflow attempts) in logfiles
can cause corruptions in the mla.state.xml file which in turn causes
modlogan to lose its history.
i made the following experience while generating stats from
apache-accesslogs (clf):
modlogan threw this error on startup but seemed to finish the job (it
actually didn't though):
-snip-
Reading searchengines - finished
error: Unescaped '<' not allowed in attributes values
error: attributes construct error
error: error parsing attribute name
error: attributes construct error
error: xmlParseStartTag: problem parsing attributes
error: Couldn't find end of Start Tag
x02%5Cxb1%5Cx02%5Cxb1%5Cx02%5C
error: Opening and ending tag mismatch: req_url and visited
error: Opening and ending tag mismatch: web and req_url
error: Opening and ending tag mismatch: state and web
error: Extra content at the end of the document
main.c.643 (main): startup - finished
-snap-
this pointed me to the mla.state.xml where i found the following entry
(and voila: the 'visited'-starttag wasn't closed in deed):
-snip-
<visited
key="/%5Cx90%5Cx02%5Cxb1%5Cx02%5Cxb1%5Cx02%5Cxb1%5Cx02%5Cxb1%5Cx02%5Cxb1%5Cx02%5Cxb1%5Cx02%5Cxb1%5Cx02%5Cxb1%5Cx02%5Cxb1%5Cx02%5Cxb1%5Cx02%5Cxb1%5Cx02%5Cx
[..and so on..]
5Cxb1%5Cx02%5Cxb1%5Cx02%5Cxb1%5Cx02%5Cxb1%5Cx02%5Cxb1%5Cx02%5Cxb1%5Cx02<count>3</count>
<grouped>0</grouped>
<vcount>813</vcount>
</visited>
-snap-
which again pointed me to the last logfile processed before the error
occured where i found this:
-snip-
1.2.3.4 - - [06/Apr/2004:13:49:31 +0200] "SEARCH
/\x90\x02\xb1\x02\xb1\x02\xb1
[..lots and lots of stupid buffer overflow junk..]
\x90\x90\x90\x90\x90\x90" 414 271 "-" "-" "-"
-snap-
so it looks like some bloody iis-worm tried to attack my webserver, but
why would that bother modlogan?
i made this experience on two systems, both running plain vanilla woody
and i think it is a real pain you know where that should be taken care
of.
thanks for your help,
alexander
pgp0MchtE6dhS.pgp
Description: PGP signature
--- End Message ---
--- Begin Message ---
Hi,
I believe this was fixed somewhere with the 0.8 release of modlogan,
i.e. 3 years ago. (bug is reported against 0.7.x)
The key="" attribute in the XML files caused lots of trouble; it was
used to identify visit paths, but for very long visit paths - crawlers
on large sites - this would cause overflows in libxml IIRC.
So the key was hashed, which in turn should solve any issues with
unescaped < chars in there. Also the xml file should be written by
libxml now, too.
best regards,
Erich Schubert
--
erich@(vitavonni.de|debian.org) -- GPG Key ID: 4B3A135C (o_
The problem with the future is that it keeps turning into the present. //\
Großen Herren und schönen Frauen V_/_
Soll man gern dienen, wenig trauen. --- Georg Rollenhagen
--- End Message ---
