<html>
<head>
<meta content="text/html; charset=utf-8" http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
<div class="moz-cite-prefix"><br>
<br>
Hi Thomas,<br>
this is a suhosin issue with url variables that are zero in
length.<br>
The variable get dropped in the reqeust and that will result in a
null byte attack.<br>
Read the git:<br>
<a class="moz-txt-link-freetext" href="https://github.com/stefanesser/suhosin/issues/62">https://github.com/stefanesser/suhosin/issues/62</a><br>
<br>
<br>
Rgds.<br>
<br>
Franz<br>
<br>
Am 15.01.15 um 17:20 schrieb Thomas Spuhler:<br>
</div>
<blockquote cite="mid:32310468.LaBWAS6qEJ@aargau.btspuhler.com"
type="cite">
<pre wrap="">this was tread upgrading from 3.0 to 3.3, but has nothing to do with upgrading kolab
I am still working on this and I think I am honing in on the problem:
I upgraded everything but not:
Roundcubemail
php (to php2.6)
apache
and I have not problem to login. After updating php and apache, I get the following error in the
journalctl httpd.service
Jan 14 17:59:41 vbox.btspuhler.com suhosin[4907]: ALERT - ASCII-NUL chars not allowed within request
variables - dropped variable '_url' (attacker '127.0.0.1', file '/usr/share/roundcubemail/index.php')
Jan 14 17:59:41 vbox.btspuhler.com suhosin[4907]: ALERT - dropped 1 request variables - (0 in GET, 1
in POST, 0 in COOKIE) (attacker '127.0.0.1', file '/usr/share/roundcubemail/index.php')
Has anybody else experienced this?
</pre>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
<pre wrap="">_______________________________________________
users mailing list
<a class="moz-txt-link-abbreviated" href="mailto:users@lists.kolab.org">users@lists.kolab.org</a>
<a class="moz-txt-link-freetext" href="https://lists.kolab.org/mailman/listinfo/users">https://lists.kolab.org/mailman/listinfo/users</a></pre>
</blockquote>
<br>
</body>
</html>