[External] Re: [Xymon] can I put enadis into debug mode?

Rothlisberger, John R. john.r.rothlisberger at accenture.com
Thu Sep 12 23:58:33 CEST 2019 

That worked for debugging - can at least see where the error is coming from:

76996 2019-09-12 22:42:29.566819  - checking if referer is OK (http_referer: https://our.domain.com/xymon-seccgi/enadis.sh, http_host: 10.20.30.40, xymonwebhost: https://our.domain.com, checkstr: /xymon-seccgi/enadis
76996 2019-09-12 22:42:29.566832 Disallowed request due to unexpected referer 'our.domain.com/xymon-seccgi/enadis.sh', wanted '10.20.30.40/xymon-seccgi/enadis' (originally '/xymon-seccgi/enadis')

http_host is the IP of the Xymon server - but not the same as the URL used for our system (we have several and use a reverse proxy to get to all of them).

Without taking too many wild guesses at which setting defines http_host (can't find it in man pages) - how do I change that?

Thanks,
John

-----Original Message-----
From: Japheth Cleaver <cleaver at terabithia.org> 
Sent: Thursday, September 12, 2019 2:04 PM
To: Rothlisberger, John R. <john.r.rothlisberger at accenture.com>; rene at vermare.net
Cc: xymon at xymon.com
Subject: Re: [External] Re: [Xymon] can I put enadis into debug mode?

So this turned out to be a bit of a pain on systemd/PrivateTmp systems, but this *should* work for you in at least figuring out what's going on here.

In /etc/xymon/cgioptions.cfg, add:
     XYMONCGILOGDIR=/tmp/
and set:
     CGI_ENADIS_OPTS="--env=$XYMONENV --debug"

On a reload of your enable/disable submission, you should be able to find a (probably empty) cgierror.log and a enadis.dbg file inside something like /tmp/systemd-private-<UUID>-httpd.service-<random>/tmp/

Inside enadis.dbg, look for a line that says 'checking if referer is OK'. That should give some info into what we're seeing.

HTH,
-jc


On 9/12/2019 8:08 AM, Rothlisberger, John R. wrote:
> Yes, this server is behind a reverse proxy.
>
> I applied the patches but still can't get either of them to work.
>
> Thanks,
> John
>
> -----Original Message-----
> From: René Vermare <rene at vermare.net>
> Sent: Wednesday, September 11, 2019 5:31 PM
> To: J.C. Cleaver <cleaver at terabithia.org>
> Cc: Rothlisberger, John R. <john.r.rothlisberger at accenture.com>; 
> xymon at xymon.com
> Subject: [External] Re: [Xymon] can I put enadis into debug mode?
>
> This message is from an EXTERNAL SENDER - be CAUTIOUS, particularly with links and attachments.
>
> Are you behind a (reverse) proxy-server?
>
> I had also a problem with it, my solution was this (small) patch;
>
>
>
>
>
> --- a/web/enadis.c      2019-07-23 17:29:06.000000000 +0200
>
> +++ b/web/enadis.c      2019-09-11 01:06:33.283642013 +0200
>
> @@ -332,7 +332,8 @@
>
>          int argi, i;
>
>          char *username = getenv("REMOTE_USER");
>
>          char *userhost = getenv("REMOTE_HOST");
>
> -       char *userip   = getenv("REMOTE_ADDR");
>
> +       char *userip   = getenv("HTTP_X_FORWARDED_FOR");
>
> +       if (userip == NULL) userip = getenv("REMOTE_ADDR");
>
>          SBUF_DEFINE(fullmsg);
>
>          char *envarea = NULL;
>
>          int  obeycookies = 1;
>
> --- a/web/acknowledge.c 2019-07-23 17:29:06.000000000 +0200
>
> +++ b/web/acknowledge.c 2019-09-11 01:01:55.493676233 +0200
>
> @@ -374,7 +374,8 @@
>
>
>
>                  parse_query();
>
>                  if (getenv("REMOTE_USER")) {
>
> -                       char *remaddr = getenv("REMOTE_ADDR");
>
> +                       char *remaddr = 
> + getenv("HTTP_X_FORWARDED_FOR");
>
> +                       if (remaddr == NULL) remaddr =
>
> getenv("REMOTE_ADDR");
>
>
>
>                          SBUF_MALLOC(acking_user, 1024 +
>
> strlen(getenv("REMOTE_USER")) + (remaddr ? strlen(remaddr) : 0));
>
>                          snprintf(acking_user, acking_user_buflen,
>
> "\nAcked by: %s", getenv("REMOTE_USER"));
>
>
>
>
>
> Ciao,
>
>
>
> René
>
>
>
>
>
> Op woensdag 11-09-2019 om 15:23 uur [tijdzone -0700], schreef J.C.
>
> Cleaver:
>
>> On Wed, September 11, 2019 8:38 am, Rothlisberger, John R. wrote:
>>> We are having issues with acknowledge.sh & enadis.sh since upgrading 
>>> to
>>> 4.3.29 and then to 4.3.30 on Ubuntu 16.04.
>>> For enadis.sh we do get the following error in the apache log:
>>> 2019-09-11 16:34:23.901080 Enadis POST that is not coming from self 
>>> or svcstatus (referer=https://urldefense.proofpoint.com/v2/url?u=https-3A__xymonserver_xymon-2Dseccgi_enadis.sh&d=DwIDaQ&c=eIGjsITfXP_y-DLLX0uEHXJvU8nOHrUK8IrwNKOtkVU&r=u6KtIBCRNAeN-AbgJjdZe5zZJVFEfq04dnWD-hYNPL_fxJIIFncbL8W6k0NMJtuq&m=47_Fg2P5NnCXjeGZ91uSE0ewHpC0t5NqqX7jlLgzfCA&s=J0cuUTaz0-BmSTtX5xqLeSToSiypwAAC96As47W7POw&e= ). Ignoring.
>>> How can we enable debugging on enadis and have that dump to a file?
>> Unfortunately, it's not quite as easy as it used to be when we were 
>> using shell-based wrappers about the C programs.
>> You can pass "--debug" as an option to the CGI_ENADIS_OPTS variable 
>> in /etc/xymon/cgioptions.cfg , however. If the error appears to be 
>> happening early in the CGI process (before headers are generated), 
>> you can also set
>> CGIDEBUG=1
>> For the issue in question, it seems like the XSS checking is not 
>> working properly or the referer information is somehow being 
>> stripped. Are there any unusual CSP changes in your apache 
>> configuration, or do you have mod_security enabled by any chance?
>> -jc
>> _______________________________________________
>> Xymon mailing list
>> Xymon at xymon.com
>> https://urldefense.proofpoint.com/v2/url?u=http-3A__lists.xymon.com_m
>> ailman_listinfo_xymon&d=DwIDaQ&c=eIGjsITfXP_y-DLLX0uEHXJvU8nOHrUK8Irw
>> NKOtkVU&r=u6KtIBCRNAeN-AbgJjdZe5zZJVFEfq04dnWD-hYNPL_fxJIIFncbL8W6k0N
>> MJtuq&m=47_Fg2P5NnCXjeGZ91uSE0ewHpC0t5NqqX7jlLgzfCA&s=z70877tsNZQ12zd
>> YLp9eQxmXGmHW6DlKsTHrQePbsQU&e=
>
>
> ________________________________________________
>
> Dit bericht is gescand op virussen d.m.v. ClamAV
>
> @vermare.net
>
>
>
>
> ________________________________
>
> This message is for the designated recipient only and may contain privileged, proprietary, or otherwise confidential information. If you have received it in error, please notify the sender immediately and delete the original. Any other use of the e-mail by you is prohibited. Where allowed by local law, electronic communications with Accenture and its affiliates, including e-mail and instant messaging (including content), may be scanned by our systems for the purposes of information security and assessment of internal compliance with Accenture policy. Your privacy is important to us. Accenture uses your personal data only in compliance with data protection laws. For further information on how Accenture processes your personal data, please see our privacy statement at https://www.accenture.com/us-en/privacy-policy.
> ______________________________________________________________________
> ________________
>
> www.accenture.com

More information about the Xymon mailing list