store | blogs | forums | twitter | facebook | wiki | downloads | support portal
Atomic Secure Linux
It is currently Fri Oct 18, 2019 10:25 am

» Feed - Atomicorp

All times are UTC - 5 hours [ DST ]




Post new topic Reply to topic  [ 8 posts ] 
Author Message
 Post subject: XPath error : Invalid expression
Unread postPosted: Mon Apr 25, 2016 7:21 am 
Offline
Long Time Forum Regular
Long Time Forum Regular

Joined: Thu Dec 09, 2004 11:19 am
Posts: 2321
Since doing some yum updates the other week, I'm seeing loads of "XPath error : Invalid expression" in the main httpd error log on my ASL systems.

There's nothing to identify what's causing it - "XPath error : Invalid expression" is all there is on the line.

A Google search indicates this might have something to do with libxml2, and/or possibly a slightly buggy Perl script or maybe a PHP script.

Is anybody else seeing them? It is happening across all my systems, generating loads of "unknown problem somewhere in the system" emails from ASL until I turned email notifications off for that rule (which I don't really want to do!!!).

Here's what I updated just before this started.

Apr 21 13:29:58 Updated: mysql-libs-5.5.49-33.el6.art.x86_64
Apr 21 13:29:59 Updated: mysql-5.5.49-33.el6.art.x86_64
Apr 21 13:30:02 Updated: mysql-server-5.5.49-33.el6.art.x86_64
Apr 21 13:32:16 Updated: nspr-4.11.0-0.1.el6_7.x86_64
Apr 21 13:32:16 Updated: nss-util-3.21.0-0.3.el6_7.x86_64
Apr 21 13:32:16 Updated: nss-sysinit-3.21.0-0.3.el6_7.x86_64
Apr 21 13:32:17 Updated: nss-3.21.0-0.3.el6_7.x86_64
Apr 21 13:32:17 Updated: ossec-hids-2.8.3-53.el6.art.x86_64
Apr 21 13:32:32 Updated: ossec-hids-server-2.8.3-53.el6.art.x86_64
Apr 21 13:32:32 Updated: krb5-libs-1.10.3-42z1.el6_7.x86_64
Apr 21 13:32:32 Updated: krb5-devel-1.10.3-42z1.el6_7.x86_64
Apr 21 13:32:33 Updated: ossec-hids-mysql-2.8.3-53.el6.art.x86_64
Apr 21 13:32:33 Updated: nss-tools-3.21.0-0.3.el6_7.x86_64
Apr 21 13:32:33 Updated: mod_qos-11.24-1.el6.art.x86_64
Apr 21 13:32:34 Updated: tzdata-2016c-1.el6.noarch
Apr 21 13:32:34 Updated: libtalloc-2.1.5-1.el6_7.x86_64
Apr 21 13:32:34 Updated: mysqltuner-1.6.9-1.el6.art.noarch
Apr 21 13:32:34 Updated: libtdb-1.3.8-1.el6_7.x86_64
Apr 21 13:32:54 Updated: libtevent-0.9.26-2.el6_7.x86_64

_________________
--------------------------------
<advert>
If you want to rent a UK-based VPS that comes with friendly advice and support from a fellow ART fan, please get in touch.
</advert>


Top
 Profile  
Reply with quote  
 Post subject: Re: XPath error : Invalid expression
Unread postPosted: Thu May 12, 2016 10:41 am 
Offline
Atomicorp Staff - Site Admin
Atomicorp Staff - Site Admin
User avatar

Joined: Thu Feb 07, 2008 7:49 pm
Posts: 4086
Location: Chantilly, VA
Basically this error means someone submitted something in XML, it was badly formated and libxml couldnt disassemble it into its parts and libxml threw this error. Unfortunately, the error message from libxml doesnt tell you what web application, site, IP, dog, cat, uber driver or whatever was involved. Its basically a useless error because its not caught by the application that generated it (and not logged by that application), apache just catches it and logs it. So unless youre debugging something and know that you caused it its not very helpful.

_________________
Michael Shinn
Atomicorp - Security For Everyone


Top
 Profile  
Reply with quote  
 Post subject: Re: XPath error : Invalid expression
Unread postPosted: Thu May 12, 2016 6:44 pm 
Offline
Long Time Forum Regular
Long Time Forum Regular

Joined: Thu Dec 09, 2004 11:19 am
Posts: 2321
Thanks Mike.

Hmm.... well, thankfully it doesn't seem to be causing any harm - yet. That I know of :)

_________________
--------------------------------
<advert>
If you want to rent a UK-based VPS that comes with friendly advice and support from a fellow ART fan, please get in touch.
</advert>


Top
 Profile  
Reply with quote  
 Post subject: Re: XPath error : Invalid expression
Unread postPosted: Sun Aug 14, 2016 1:52 pm 
Offline
Forum Regular
Forum Regular

Joined: Tue Nov 23, 2010 7:30 am
Posts: 293
Location: Glasgow, UK
Hi Faris,

Did you get any further with this? I'm getting lots of these also - but now ASL seems to be picking some up for specific vhosts too.

Once such failure was triggered with the following request - taken from the audit log:

Code:
--a0787877-A--
[13/Aug/2016:18:53:12 +0100] V69ehm2pO58AAGXZaKkAAAAS [ipremoved] 58394 [ipremoved] 443
--a0787877-B--
POST /autodiscover/autodiscover.xml HTTP/1.1
Host: www.domain.com
Authorization: Bearer
Content-Type: text/xml; charset=utf-8
X-ClientStatistics: DeviceID=1CFEA801-0224A-5836-BC90-CCA59300933A; SessionID=AF90D73A-1BFD-4113-ADB4-410A10D9DFBF
Content-Length: 360
Accept-Language: en
Cookie: PHPSESSID=obpgi2drpi2ij9naukb6k8ns25
Client-Request-Id: {CF1F71D0-D9DA-4F1C-8109-7D588E5E7E19}
Connection: keep-alive
User-Agent: MacOutlook/15.24.0.160709 (Intel Mac OS X Version 10.11.6 (Build 15G31))

--a0787877-C--
<?xml version="1.0" encoding="UTF-8"?><Autodiscover xmlns="http://schemas.microsoft.com/exchange/autodiscover/outlook/requestschema/2006"><Request><EMailAddress>username@account.com</EMailAddress><AcceptableResponseSchema>http://schemas.microsoft.com/exchange/autodiscover/outlook/responseschema/2006a</AcceptableResponseSchema></Request></Autodiscover>
--a0787877-F--
HTTP/1.1 403 Forbidden
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
Vary: User-Agent,Accept-Encoding
Keep-Alive: timeout=15, max=100
Connection: Keep-Alive
Transfer-Encoding: chunked
Content-Type: text/html; charset=utf-8

--a0787877-H--
Message: XML: Unable to evaluate xpath expression.
Apache-Handler: fcgid-script
Stopwatch: 1471110790419065 1758160 (- - -)
Stopwatch2: 1471110790419065 1758160; combined=361118, p1=582, p2=360010, p3=0, p4=0, p5=316, sr=224, sw=210, l=0, gc=0
Producer: ModSecurity for Apache/2.9.1 (http://www.modsecurity.org/); 201608111803.
Server: Apache
Engine-Mode: "ENABLED"

--a0787877-Z--


I find it hard to believe that an autodiscover request from Outlook could cause these errors AND result in a shun!


Top
 Profile  
Reply with quote  
 Post subject: Re: XPath error : Invalid expression
Unread postPosted: Sun Aug 14, 2016 4:58 pm 
Offline
Long Time Forum Regular
Long Time Forum Regular

Joined: Thu Dec 09, 2004 11:19 am
Posts: 2321
Ah! I'd forgotten about this post! Thanks Chris.

I've been discussing the Autodiscover thing with the guys in a support ticket. One of our customers was shunned as a result of Outlook on their network connecting to their domain on their hosting account instead of their local server (or something).

But the other Autodiscover attempts I have seen in the log all appear to be potentially malicious - from IPs that would have no business connecting to our servers. There were only a handful mind you.

I think they made some changes in the rule recently, to make it more flexible. Initially it could not be disabled.

Anyway, it makes sense that Autodiscover is the cause of the errors in the logs.

_________________
--------------------------------
<advert>
If you want to rent a UK-based VPS that comes with friendly advice and support from a fellow ART fan, please get in touch.
</advert>


Top
 Profile  
Reply with quote  
 Post subject: Re: XPath error : Invalid expression
Unread postPosted: Mon Aug 15, 2016 4:06 am 
Offline
Forum Regular
Forum Regular

Joined: Tue Nov 23, 2010 7:30 am
Posts: 293
Location: Glasgow, UK
I'm getting dozens of these each day - and not all relating to autodiscover; many in the generic httpd error log - as you say, with no helpful information.

One client is still complaining that they don't have access, when ASL doesn't seem to have a block on their IP (remote support pending with them).

Just a pity that "False Positive" has been disabled for this rule, so it can't be reported.

I have a hunch that WordPress is the target for other invalid XML data that is being passed; however I've disabled XMLRPC on all but a few vhosts (who specifically want/need it for the WordPress app or desktop management software).

I'll raise a ticket with support to let them know their autodiscover "fix" still isn't working.


Top
 Profile  
Reply with quote  
 Post subject: Re: XPath error : Invalid expression
Unread postPosted: Mon Aug 15, 2016 5:02 am 
Offline
Long Time Forum Regular
Long Time Forum Regular

Joined: Thu Dec 09, 2004 11:19 am
Posts: 2321
Thanks Chris,

It sounds like there's more to the error than I thought then. Grrr.. :-(

_________________
--------------------------------
<advert>
If you want to rent a UK-based VPS that comes with friendly advice and support from a fellow ART fan, please get in touch.
</advert>


Top
 Profile  
Reply with quote  
 Post subject: Re: XPath error : Invalid expression
Unread postPosted: Mon Aug 15, 2016 5:05 am 
Offline
Forum Regular
Forum Regular

Joined: Tue Nov 23, 2010 7:30 am
Posts: 293
Location: Glasgow, UK
Will let you know the outcome of the ticket.

For the client who was blocked, only a firewall restart got them back in!


Top
 Profile  
Reply with quote  
Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 8 posts ] 

» Feed - Atomicorp

All times are UTC - 5 hours [ DST ]


Who is online

Users browsing this forum: No registered users and 7 guests


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for:
Jump to:  
Powered by phpBB © 2000, 2002, 2005, 2007 phpBB Group