SSI: Garbage (leaked data) after date w/ time format

[AndrewT]

Using:

<!--#config timefmt="%A, %B %d"--><!--#echo var="DATE_LOCAL"-->

Is displaying something like:

Friday, March 19ef="bible/index.shtml">Join us in reading t4T}

It appears that data from other requests is being tacked on to the end. Refreshing the page results in new data at the end. Without the time format the date displays normally but obviously not in the desired format.

Edit: this is on 4.0.13

Edit 2: You may have trouble duplicating the problem on a low traffic server. Our test server does not have this problem but it also has no real traffic. I've tested this on multiple live servers and the problem exists as described in all cases.

 

[NayBore]

Leaking Private Data

I have also observed this problem with the Litespeed drop-in for Apache.

This appears to be a very serious PUBLIC leak of
any data that is being piped to std-out,
whether it is from a secure folder or not,
and whether or not it is encrypted.

Please advise with a patch, either to kill, or to repair this process.

Thanks very much.

 

[mistwang]

Fix will be in 4.0.14 release.

 

[AndrewT]

When can we expect 4.0.14?

 

[NayBore]

Over 300 Hours Unpatched

Several dozens of websites are are exposed to this exploit folks.

I am watching material from SECURE FOLDERS
being piped into the wild over a Litespeed http server, gang...

I need a kill switch, please.

This open-source one is looking good:
httpd.apache.org

 

[mistwang]

4.0.14 build will be available tomorrow, you can do a manual update.

 

[mistwang]

4.0.14 package is available now, just change version number in the download link to get it.

 

[NayBore]

Isolated Treatment For Whiners

4.0.14 package is available now,
just change version number in the download link to get it.

I can NOT morally pursue this change
until the link becomes PUBLIC.

Security shuns preferential treatment.

That's very generous, just the same. Thank you.

500+ hours.... and ticking.

 

[ffeingol]

I think this is pretty 'typical' LSWS treatment. 1st they put the new package up (but not links) for early adopters to test. After that they update the download links. Finally, after the upload link have been out a bit the push it out via the auto-upload.

 

[brrr]

...Security shuns preferential treatment.

Tell that to the Secret Service.

 

[AndrewT]

NOT fixed in 4.0.14

 

[mistwang]

Can you please send the test script to bug@litespeed ...?
We tested the script posted at the beginning of this thread, it is fixed. Maybe something else.

 

[AndrewT]

I just tested using the exact same code that I included in my initial post. The problem is occurring less frequently but it certainly still is occurring.

Thursday, April 29 my feelings and circumstances, I start sinking quickly - just like Peter trying to walk on

 

[mistwang]

Please send us the URL, we need to try and analyze.

 

[AndrewT]

Private message sent.

 

[AndrewT]

I went ahead and completely stopped and restarted ls and I haven't been able to get it to reoccur. Looks like it might be taken care of now. I'll update if not.