Since doing some yum updates the other week, I'm seeing loads of "XPath error : Invalid expression" in the main httpd error log on my ASL systems.
There's nothing to identify what's causing it - "XPath error : Invalid expression" is all there is on the line.
A Google search indicates this might have something to do with libxml2, and/or possibly a slightly buggy Perl script or maybe a PHP script.
Is anybody else seeing them? It is happening across all my systems, generating loads of "unknown problem somewhere in the system" emails from ASL until I turned email notifications off for that rule (which I don't really want to do!!!).
Here's what I updated just before this started.
Apr 21 13:29:58 Updated: mysql-libs-5.5.49-33.el6.art.x86_64
Apr 21 13:29:59 Updated: mysql-5.5.49-33.el6.art.x86_64
Apr 21 13:30:02 Updated: mysql-server-5.5.49-33.el6.art.x86_64
Apr 21 13:32:16 Updated: nspr-4.11.0-0.1.el6_7.x86_64
Apr 21 13:32:16 Updated: nss-util-3.21.0-0.3.el6_7.x86_64
Apr 21 13:32:16 Updated: nss-sysinit-3.21.0-0.3.el6_7.x86_64
Apr 21 13:32:17 Updated: nss-3.21.0-0.3.el6_7.x86_64
Apr 21 13:32:17 Updated: ossec-hids-2.8.3-53.el6.art.x86_64
Apr 21 13:32:32 Updated: ossec-hids-server-2.8.3-53.el6.art.x86_64
Apr 21 13:32:32 Updated: krb5-libs-1.10.3-42z1.el6_7.x86_64
Apr 21 13:32:32 Updated: krb5-devel-1.10.3-42z1.el6_7.x86_64
Apr 21 13:32:33 Updated: ossec-hids-mysql-2.8.3-53.el6.art.x86_64
Apr 21 13:32:33 Updated: nss-tools-3.21.0-0.3.el6_7.x86_64
Apr 21 13:32:33 Updated: mod_qos-11.24-1.el6.art.x86_64
Apr 21 13:32:34 Updated: tzdata-2016c-1.el6.noarch
Apr 21 13:32:34 Updated: libtalloc-2.1.5-1.el6_7.x86_64
Apr 21 13:32:34 Updated: mysqltuner-1.6.9-1.el6.art.noarch
Apr 21 13:32:34 Updated: libtdb-1.3.8-1.el6_7.x86_64
Apr 21 13:32:54 Updated: libtevent-0.9.26-2.el6_7.x86_64
XPath error : Invalid expression
XPath error : Invalid expression
--------------------------------
<advert>
If you want to rent a UK-based VPS that comes with friendly advice and support from a fellow ART fan, please get in touch.
</advert>
<advert>
If you want to rent a UK-based VPS that comes with friendly advice and support from a fellow ART fan, please get in touch.
</advert>
- mikeshinn
- Atomicorp Staff - Site Admin
- Posts: 4149
- Joined: Thu Feb 07, 2008 7:49 pm
- Location: Chantilly, VA
Re: XPath error : Invalid expression
Basically this error means someone submitted something in XML, it was badly formated and libxml couldnt disassemble it into its parts and libxml threw this error. Unfortunately, the error message from libxml doesnt tell you what web application, site, IP, dog, cat, uber driver or whatever was involved. Its basically a useless error because its not caught by the application that generated it (and not logged by that application), apache just catches it and logs it. So unless youre debugging something and know that you caused it its not very helpful.
Michael Shinn
Atomicorp - Security For Everyone
Atomicorp - Security For Everyone
Re: XPath error : Invalid expression
Thanks Mike.
Hmm.... well, thankfully it doesn't seem to be causing any harm - yet. That I know of
Hmm.... well, thankfully it doesn't seem to be causing any harm - yet. That I know of
--------------------------------
<advert>
If you want to rent a UK-based VPS that comes with friendly advice and support from a fellow ART fan, please get in touch.
</advert>
<advert>
If you want to rent a UK-based VPS that comes with friendly advice and support from a fellow ART fan, please get in touch.
</advert>
Re: XPath error : Invalid expression
Hi Faris,
Did you get any further with this? I'm getting lots of these also - but now ASL seems to be picking some up for specific vhosts too.
Once such failure was triggered with the following request - taken from the audit log:
I find it hard to believe that an autodiscover request from Outlook could cause these errors AND result in a shun!
Did you get any further with this? I'm getting lots of these also - but now ASL seems to be picking some up for specific vhosts too.
Once such failure was triggered with the following request - taken from the audit log:
Code: Select all
--a0787877-A--
[13/Aug/2016:18:53:12 +0100] V69ehm2pO58AAGXZaKkAAAAS [ipremoved] 58394 [ipremoved] 443
--a0787877-B--
POST /autodiscover/autodiscover.xml HTTP/1.1
Host: www.domain.com
Authorization: Bearer
Content-Type: text/xml; charset=utf-8
X-ClientStatistics: DeviceID=1CFEA801-0224A-5836-BC90-CCA59300933A; SessionID=AF90D73A-1BFD-4113-ADB4-410A10D9DFBF
Content-Length: 360
Accept-Language: en
Cookie: PHPSESSID=obpgi2drpi2ij9naukb6k8ns25
Client-Request-Id: {CF1F71D0-D9DA-4F1C-8109-7D588E5E7E19}
Connection: keep-alive
User-Agent: MacOutlook/15.24.0.160709 (Intel Mac OS X Version 10.11.6 (Build 15G31))
--a0787877-C--
<?xml version="1.0" encoding="UTF-8"?><Autodiscover xmlns="http://schemas.microsoft.com/exchange/autodiscover/outlook/requestschema/2006"><Request><EMailAddress>username@account.com</EMailAddress><AcceptableResponseSchema>http://schemas.microsoft.com/exchange/autodiscover/outlook/responseschema/2006a</AcceptableResponseSchema></Request></Autodiscover>
--a0787877-F--
HTTP/1.1 403 Forbidden
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
Vary: User-Agent,Accept-Encoding
Keep-Alive: timeout=15, max=100
Connection: Keep-Alive
Transfer-Encoding: chunked
Content-Type: text/html; charset=utf-8
--a0787877-H--
Message: XML: Unable to evaluate xpath expression.
Apache-Handler: fcgid-script
Stopwatch: 1471110790419065 1758160 (- - -)
Stopwatch2: 1471110790419065 1758160; combined=361118, p1=582, p2=360010, p3=0, p4=0, p5=316, sr=224, sw=210, l=0, gc=0
Producer: ModSecurity for Apache/2.9.1 (http://www.modsecurity.org/); 201608111803.
Server: Apache
Engine-Mode: "ENABLED"
--a0787877-Z--
Re: XPath error : Invalid expression
Ah! I'd forgotten about this post! Thanks Chris.
I've been discussing the Autodiscover thing with the guys in a support ticket. One of our customers was shunned as a result of Outlook on their network connecting to their domain on their hosting account instead of their local server (or something).
But the other Autodiscover attempts I have seen in the log all appear to be potentially malicious - from IPs that would have no business connecting to our servers. There were only a handful mind you.
I think they made some changes in the rule recently, to make it more flexible. Initially it could not be disabled.
Anyway, it makes sense that Autodiscover is the cause of the errors in the logs.
I've been discussing the Autodiscover thing with the guys in a support ticket. One of our customers was shunned as a result of Outlook on their network connecting to their domain on their hosting account instead of their local server (or something).
But the other Autodiscover attempts I have seen in the log all appear to be potentially malicious - from IPs that would have no business connecting to our servers. There were only a handful mind you.
I think they made some changes in the rule recently, to make it more flexible. Initially it could not be disabled.
Anyway, it makes sense that Autodiscover is the cause of the errors in the logs.
--------------------------------
<advert>
If you want to rent a UK-based VPS that comes with friendly advice and support from a fellow ART fan, please get in touch.
</advert>
<advert>
If you want to rent a UK-based VPS that comes with friendly advice and support from a fellow ART fan, please get in touch.
</advert>
Re: XPath error : Invalid expression
I'm getting dozens of these each day - and not all relating to autodiscover; many in the generic httpd error log - as you say, with no helpful information.
One client is still complaining that they don't have access, when ASL doesn't seem to have a block on their IP (remote support pending with them).
Just a pity that "False Positive" has been disabled for this rule, so it can't be reported.
I have a hunch that WordPress is the target for other invalid XML data that is being passed; however I've disabled XMLRPC on all but a few vhosts (who specifically want/need it for the WordPress app or desktop management software).
I'll raise a ticket with support to let them know their autodiscover "fix" still isn't working.
One client is still complaining that they don't have access, when ASL doesn't seem to have a block on their IP (remote support pending with them).
Just a pity that "False Positive" has been disabled for this rule, so it can't be reported.
I have a hunch that WordPress is the target for other invalid XML data that is being passed; however I've disabled XMLRPC on all but a few vhosts (who specifically want/need it for the WordPress app or desktop management software).
I'll raise a ticket with support to let them know their autodiscover "fix" still isn't working.
Re: XPath error : Invalid expression
Thanks Chris,
It sounds like there's more to the error than I thought then. Grrr..
It sounds like there's more to the error than I thought then. Grrr..
--------------------------------
<advert>
If you want to rent a UK-based VPS that comes with friendly advice and support from a fellow ART fan, please get in touch.
</advert>
<advert>
If you want to rent a UK-based VPS that comes with friendly advice and support from a fellow ART fan, please get in touch.
</advert>
Re: XPath error : Invalid expression
Will let you know the outcome of the ticket.
For the client who was blocked, only a firewall restart got them back in!
For the client who was blocked, only a firewall restart got them back in!