XPath error : Invalid expression

General Discussion of atomic repo and development projects.

Ask for help here with anything else not covered by other forums.
faris
Long Time Forum Regular
Long Time Forum Regular
Posts: 2321
Joined: Thu Dec 09, 2004 11:19 am

XPath error : Invalid expression

Unread post by faris »

Since doing some yum updates the other week, I'm seeing loads of "XPath error : Invalid expression" in the main httpd error log on my ASL systems.

There's nothing to identify what's causing it - "XPath error : Invalid expression" is all there is on the line.

A Google search indicates this might have something to do with libxml2, and/or possibly a slightly buggy Perl script or maybe a PHP script.

Is anybody else seeing them? It is happening across all my systems, generating loads of "unknown problem somewhere in the system" emails from ASL until I turned email notifications off for that rule (which I don't really want to do!!!).

Here's what I updated just before this started.

Apr 21 13:29:58 Updated: mysql-libs-5.5.49-33.el6.art.x86_64
Apr 21 13:29:59 Updated: mysql-5.5.49-33.el6.art.x86_64
Apr 21 13:30:02 Updated: mysql-server-5.5.49-33.el6.art.x86_64
Apr 21 13:32:16 Updated: nspr-4.11.0-0.1.el6_7.x86_64
Apr 21 13:32:16 Updated: nss-util-3.21.0-0.3.el6_7.x86_64
Apr 21 13:32:16 Updated: nss-sysinit-3.21.0-0.3.el6_7.x86_64
Apr 21 13:32:17 Updated: nss-3.21.0-0.3.el6_7.x86_64
Apr 21 13:32:17 Updated: ossec-hids-2.8.3-53.el6.art.x86_64
Apr 21 13:32:32 Updated: ossec-hids-server-2.8.3-53.el6.art.x86_64
Apr 21 13:32:32 Updated: krb5-libs-1.10.3-42z1.el6_7.x86_64
Apr 21 13:32:32 Updated: krb5-devel-1.10.3-42z1.el6_7.x86_64
Apr 21 13:32:33 Updated: ossec-hids-mysql-2.8.3-53.el6.art.x86_64
Apr 21 13:32:33 Updated: nss-tools-3.21.0-0.3.el6_7.x86_64
Apr 21 13:32:33 Updated: mod_qos-11.24-1.el6.art.x86_64
Apr 21 13:32:34 Updated: tzdata-2016c-1.el6.noarch
Apr 21 13:32:34 Updated: libtalloc-2.1.5-1.el6_7.x86_64
Apr 21 13:32:34 Updated: mysqltuner-1.6.9-1.el6.art.noarch
Apr 21 13:32:34 Updated: libtdb-1.3.8-1.el6_7.x86_64
Apr 21 13:32:54 Updated: libtevent-0.9.26-2.el6_7.x86_64
--------------------------------
<advert>
If you want to rent a UK-based VPS that comes with friendly advice and support from a fellow ART fan, please get in touch.
</advert>
User avatar
mikeshinn
Atomicorp Staff - Site Admin
Atomicorp Staff - Site Admin
Posts: 4149
Joined: Thu Feb 07, 2008 7:49 pm
Location: Chantilly, VA

Re: XPath error : Invalid expression

Unread post by mikeshinn »

Basically this error means someone submitted something in XML, it was badly formated and libxml couldnt disassemble it into its parts and libxml threw this error. Unfortunately, the error message from libxml doesnt tell you what web application, site, IP, dog, cat, uber driver or whatever was involved. Its basically a useless error because its not caught by the application that generated it (and not logged by that application), apache just catches it and logs it. So unless youre debugging something and know that you caused it its not very helpful.
faris
Long Time Forum Regular
Long Time Forum Regular
Posts: 2321
Joined: Thu Dec 09, 2004 11:19 am

Re: XPath error : Invalid expression

Unread post by faris »

Thanks Mike.

Hmm.... well, thankfully it doesn't seem to be causing any harm - yet. That I know of :)
--------------------------------
<advert>
If you want to rent a UK-based VPS that comes with friendly advice and support from a fellow ART fan, please get in touch.
</advert>
chrismcb
Forum Regular
Forum Regular
Posts: 293
Joined: Tue Nov 23, 2010 7:30 am
Location: Glasgow, UK

Re: XPath error : Invalid expression

Unread post by chrismcb »

Hi Faris,

Did you get any further with this? I'm getting lots of these also - but now ASL seems to be picking some up for specific vhosts too.

Once such failure was triggered with the following request - taken from the audit log:

Code: Select all

--a0787877-A--
[13/Aug/2016:18:53:12 +0100] V69ehm2pO58AAGXZaKkAAAAS [ipremoved] 58394 [ipremoved] 443
--a0787877-B--
POST /autodiscover/autodiscover.xml HTTP/1.1
Host: www.domain.com
Authorization: Bearer
Content-Type: text/xml; charset=utf-8
X-ClientStatistics: DeviceID=1CFEA801-0224A-5836-BC90-CCA59300933A; SessionID=AF90D73A-1BFD-4113-ADB4-410A10D9DFBF
Content-Length: 360
Accept-Language: en
Cookie: PHPSESSID=obpgi2drpi2ij9naukb6k8ns25
Client-Request-Id: {CF1F71D0-D9DA-4F1C-8109-7D588E5E7E19}
Connection: keep-alive
User-Agent: MacOutlook/15.24.0.160709 (Intel Mac OS X Version 10.11.6 (Build 15G31))

--a0787877-C--
<?xml version="1.0" encoding="UTF-8"?><Autodiscover xmlns="http://schemas.microsoft.com/exchange/autodiscover/outlook/requestschema/2006"><Request><EMailAddress>username@account.com</EMailAddress><AcceptableResponseSchema>http://schemas.microsoft.com/exchange/autodiscover/outlook/responseschema/2006a</AcceptableResponseSchema></Request></Autodiscover>
--a0787877-F--
HTTP/1.1 403 Forbidden
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
Vary: User-Agent,Accept-Encoding
Keep-Alive: timeout=15, max=100
Connection: Keep-Alive
Transfer-Encoding: chunked
Content-Type: text/html; charset=utf-8

--a0787877-H--
Message: XML: Unable to evaluate xpath expression.
Apache-Handler: fcgid-script
Stopwatch: 1471110790419065 1758160 (- - -)
Stopwatch2: 1471110790419065 1758160; combined=361118, p1=582, p2=360010, p3=0, p4=0, p5=316, sr=224, sw=210, l=0, gc=0
Producer: ModSecurity for Apache/2.9.1 (http://www.modsecurity.org/); 201608111803.
Server: Apache
Engine-Mode: "ENABLED"

--a0787877-Z--
I find it hard to believe that an autodiscover request from Outlook could cause these errors AND result in a shun!
faris
Long Time Forum Regular
Long Time Forum Regular
Posts: 2321
Joined: Thu Dec 09, 2004 11:19 am

Re: XPath error : Invalid expression

Unread post by faris »

Ah! I'd forgotten about this post! Thanks Chris.

I've been discussing the Autodiscover thing with the guys in a support ticket. One of our customers was shunned as a result of Outlook on their network connecting to their domain on their hosting account instead of their local server (or something).

But the other Autodiscover attempts I have seen in the log all appear to be potentially malicious - from IPs that would have no business connecting to our servers. There were only a handful mind you.

I think they made some changes in the rule recently, to make it more flexible. Initially it could not be disabled.

Anyway, it makes sense that Autodiscover is the cause of the errors in the logs.
--------------------------------
<advert>
If you want to rent a UK-based VPS that comes with friendly advice and support from a fellow ART fan, please get in touch.
</advert>
chrismcb
Forum Regular
Forum Regular
Posts: 293
Joined: Tue Nov 23, 2010 7:30 am
Location: Glasgow, UK

Re: XPath error : Invalid expression

Unread post by chrismcb »

I'm getting dozens of these each day - and not all relating to autodiscover; many in the generic httpd error log - as you say, with no helpful information.

One client is still complaining that they don't have access, when ASL doesn't seem to have a block on their IP (remote support pending with them).

Just a pity that "False Positive" has been disabled for this rule, so it can't be reported.

I have a hunch that WordPress is the target for other invalid XML data that is being passed; however I've disabled XMLRPC on all but a few vhosts (who specifically want/need it for the WordPress app or desktop management software).

I'll raise a ticket with support to let them know their autodiscover "fix" still isn't working.
faris
Long Time Forum Regular
Long Time Forum Regular
Posts: 2321
Joined: Thu Dec 09, 2004 11:19 am

Re: XPath error : Invalid expression

Unread post by faris »

Thanks Chris,

It sounds like there's more to the error than I thought then. Grrr.. :-(
--------------------------------
<advert>
If you want to rent a UK-based VPS that comes with friendly advice and support from a fellow ART fan, please get in touch.
</advert>
chrismcb
Forum Regular
Forum Regular
Posts: 293
Joined: Tue Nov 23, 2010 7:30 am
Location: Glasgow, UK

Re: XPath error : Invalid expression

Unread post by chrismcb »

Will let you know the outcome of the ticket.

For the client who was blocked, only a firewall restart got them back in!
Post Reply