SSI: Garbage (leaked data) after date w/ time format

Discussion in 'Bug Reports' started by AndrewT, Mar 19, 2010.

  1. AndrewT

    AndrewT New Member

    Using:

    Code:
    <!--#config timefmt="%A, %B %d"--><!--#echo var="DATE_LOCAL"-->
    Is displaying something like:

    Code:
    Friday, March 19ef="bible/index.shtml">Join us in reading t4T} 
    It appears that data from other requests is being tacked on to the end. Refreshing the page results in new data at the end. Without the time format the date displays normally but obviously not in the desired format.

    Edit: this is on 4.0.13

    Edit 2: You may have trouble duplicating the problem on a low traffic server. Our test server does not have this problem but it also has no real traffic. I've tested this on multiple live servers and the problem exists as described in all cases.
    Last edited: Mar 19, 2010
  2. NayBore

    NayBore New Member

    Leaking Private Data

    I have also observed this problem with the Litespeed drop-in for Apache.

    This appears to be a very serious PUBLIC leak of
    any data that is being piped to std-out,
    whether it is from a secure folder or not,
    and whether or not it is encrypted.

    Please advise with a patch, either to kill, or to repair this process.

    Thanks very much.
  3. mistwang

    mistwang LiteSpeed Staff

    Fix will be in 4.0.14 release.
  4. AndrewT

    AndrewT New Member

    When can we expect 4.0.14?
  5. NayBore

    NayBore New Member

    Over 300 Hours Unpatched

    Several dozens of websites are are exposed to this exploit folks.

    I am watching material from SECURE FOLDERS
    being piped into the wild over a Litespeed http server, gang...

    I need a kill switch, please.

    This open-source one is looking good:
    httpd.apache.org
  6. mistwang

    mistwang LiteSpeed Staff

    4.0.14 build will be available tomorrow, you can do a manual update.
  7. mistwang

    mistwang LiteSpeed Staff

    4.0.14 package is available now, just change version number in the download link to get it.
  8. NayBore

    NayBore New Member

    Isolated Treatment For Whiners

    I can NOT morally pursue this change
    until the link becomes PUBLIC.

    Security shuns preferential treatment.

    That's very generous, just the same. Thank you.

    500+ hours.... and ticking.
  9. ffeingol

    ffeingol New Member

    I think this is pretty 'typical' LSWS treatment. 1st they put the new package up (but not links) for early adopters to test. After that they update the download links. Finally, after the upload link have been out a bit the push it out via the auto-upload.
  10. brrr

    brrr New Member

    Tell that to the Secret Service. :)
  11. AndrewT

    AndrewT New Member

    NOT fixed in 4.0.14
  12. mistwang

    mistwang LiteSpeed Staff

    Can you please send the test script to bug@litespeed ...?
    We tested the script posted at the beginning of this thread, it is fixed. Maybe something else.
  13. AndrewT

    AndrewT New Member

    I just tested using the exact same code that I included in my initial post. The problem is occurring less frequently but it certainly still is occurring.

    Code:
    Thursday, April 29 my feelings and circumstances, I start sinking quickly - just like Peter trying to walk on 
  14. mistwang

    mistwang LiteSpeed Staff

    Please send us the URL, we need to try and analyze.
  15. AndrewT

    AndrewT New Member

    Private message sent.
  16. AndrewT

    AndrewT New Member

    I went ahead and completely stopped and restarted ls and I haven't been able to get it to reoccur. Looks like it might be taken care of now. I'll update if not.

Share This Page