Support

AndrewT · #1 03-19-2010, 09:18 AM

Using:

Code:

<!--#config timefmt="%A, %B %d"--><!--#echo var="DATE_LOCAL"-->

Is displaying something like:

Code:

Friday, March 19ef="bible/index.shtml">Join us in reading t4T}

It appears that data from other requests is being tacked on to the end. Refreshing the page results in new data at the end. Without the time format the date displays normally but obviously not in the desired format.

Edit: this is on 4.0.13

Edit 2: You may have trouble duplicating the problem on a low traffic server. Our test server does not have this problem but it also has no real traffic. I've tested this on multiple live servers and the problem exists as described in all cases.

NayBore · #2 03-20-2010, 10:42 AM

I have also observed this problem with the Litespeed drop-in for Apache.

This appears to be a very serious PUBLIC leak of
any data that is being piped to std-out,
whether it is from a secure folder or not,
and whether or not it is encrypted.

Please advise with a patch, either to kill, or to repair this process.

Thanks very much.

mistwang · #3 03-20-2010, 09:55 PM

Fix will be in 4.0.14 release.

AndrewT · #4 03-21-2010, 07:38 AM

When can we expect 4.0.14?

NayBore · #5 03-31-2010, 08:20 PM

Several dozens of websites are are exposed to this exploit folks.

I am watching material from SECURE FOLDERS
being piped into the wild over a Litespeed http server, gang...

I need a kill switch, please.

This open-source one is looking good:
httpd.apache.org

mistwang · #6 04-01-2010, 09:01 PM

4.0.14 build will be available tomorrow, you can do a manual update.

mistwang · #7 04-02-2010, 10:43 AM

4.0.14 package is available now, just change version number in the download link to get it.

NayBore · #8 04-03-2010, 11:46 AM

Quote:

Originally Posted by mistwang

4.0.14 package is available now,
just change version number in the download link to get it.

I can NOT morally pursue this change
until the link becomes PUBLIC.

Security shuns preferential treatment.

That's very generous, just the same. Thank you.

500+ hours.... and ticking.

ffeingol · #9 04-03-2010, 04:22 PM

I think this is pretty 'typical' LSWS treatment. 1st they put the new package up (but not links) for early adopters to test. After that they update the download links. Finally, after the upload link have been out a bit the push it out via the auto-upload.

brrr · #10 04-29-2010, 01:13 AM

Quote:

Originally Posted by NayBore

...Security shuns preferential treatment.

Tell that to the Secret Service.