FastCGI-stderr Alert - configured request variable name length limit exceeded
-
2 hours running and no error, this time without the IPSec widget.
Yup, im running Chrome.
I also tested it with Firefox and IE for the last two hours and both have same results with Chrome.
No error without the IPSec widget. -
Update:
Same error:```
lighttpd[35079]: (mod_fastcgi.c.2676) FastCGI-stderr: ALERT - configured request variable name length limit exceeded - dropped variable 'yui:3_5_1/build/autocomplete-list-keys/autocomplete-list-keys-min_js'No IPSec widget on dashboard but with System Information. I will remove Sys Inf widget and post observation later. -
Im still trying to figure out how to make my changes work, phpinfo is giving me different value than what I set, I've run /etc/rc.php_ini_setup and reboot but nothing, I dont know if the information phpinfo is showing me is cached from somewhere?
my added line to the default /etc/rc.php_ini_setup which when run correctly populates /usr/local/etc/php.ini and /usr/local/lib/php.ini
[suhosin]
suhosin.get.max_array_depth = 5000
suhosin.get.max_array_index_length = 256
suhosin.get.max_vars = 5000
suhosin.get.max_value_length = 500000
suhosin.post.max_array_depth = 5000
suhosin.post.max_array_index_length = 256
suhosin.post.max_vars = 5000
suhosin.post.max_value_length = 500000
suhosin.request.max_array_depth = 5000
suhosin.request.max_array_index_length = 256
suhosin.request.max_vars = 5000
suhosin.request.max_value_length = 500000
suhosin.request.max_varname_length = 256
suhosin.memory_limit = 512435456I run the same widget as you and get no such error, are you using some kind of Chrome plugin for autocomplete?
-
I primarily use Chrome. The dashboard is usually open 24/7 on our server.
I will try to close it this time and check on my workstation using IE or FF.Chrome has no plugins except for DAP and weather.
No autocomplete also. -
I cant generate the alert with any browser that I try, I am using Chrome 23.0.1271.97 with just a few plugins, I've tried FF and IE8 but still no alerts.
What I've done so far is add the red highlighted suhosin directive above to my /etc/rc.php_ini_setup and then run the script, I then created a folder in /usr/local/etc/ called php and copied /usr/local/etc/php.ini to newly created folder - /usr/local/etc/php/php.ini is now able to be read with phpinfo();
I dont know if this is the right way of doing it.
I've rebooted just to be sure and now I can test properly, originally I bumped the value from the default 64 to 128 and still got the FastCGI alerts, I'll report back if I get the same with the value bumped to 256, once the clients start accessing the network.
-
IE has different errors:
Jan 7 14:07:24 lighttpd[35079]: (mod_fastcgi.c.2676) FastCGI-stderr: ALERT - configured request variable name length limit exceeded - dropped variable 'P,_trading,_US_market,_Asian_market,_Dow_Jones,_FTSE,_DJIA,_DAX,_stocks,_bonds,_shares"}]},{w:"2",x:[{h:0,t:"title",c:"Century Properties Group Inc (CPG.PS) News| Reuters.com"},{h:0,t:"title",c:"Century Properties Group Inc (CPG.PS) News| Reuters.com"}]' (attacker '111.111.111.111', file '/usr/local/www/sgerror.php') Jan 7 14:07:24 lighttpd[35079]: (mod_fastcgi.c.2676) FastCGI-stderr: ALERT - configured request variable name length limit exceeded - dropped variable 'P,_trading,_US_market,_Asian_market,_Dow_Jones,_FTSE,_DJIA,_DAX,_stocks,_bonds,_shares"}]},{w:"2",x:[{h:0,t:"title",c:"Century Properties Group Inc (CPG.PS) News| Reuters.com"},{h:0,t:"title",c:"Century Properties Group Inc (CPG.PS) News| Reuters.com"}]' (attacker '111.111.111.111', file '/usr/local/www/sgerror.php')Why does stock markets included in the error? ??? ;D
My browser tabs has the dashboard, the syslogs and this forum only. IE 9.0.8112.16421But```
Jan 7 14:05:05 lighttpd[35079]: (mod_fastcgi.c.2676) FastCGI-stderr: ALERT - configured request variable name length limit exceeded - dropped variable 'yui:gallery-2011_04_20-13-04/build/gallery-jsonp/gallery-jsonp-min_js' (attacker .... -
IE has different errors:
Jan 7 14:07:24 lighttpd[35079]: (mod_fastcgi.c.2676) FastCGI-stderr: ALERT - configured request variable name length limit exceeded - dropped variable 'P,_trading,_US_market,_Asian_market,_Dow_Jones,_FTSE,_DJIA,_DAX,_stocks,_bonds,_shares"}]},{w:"2",x:[{h:0,t:"title",c:"Century Properties Group Inc (CPG.PS) News| Reuters.com"},{h:0,t:"title",c:"Century Properties Group Inc (CPG.PS) News| Reuters.com"}]' (attacker '111.111.111.111', file '/usr/local/www/sgerror.php') Jan 7 14:07:24 lighttpd[35079]: (mod_fastcgi.c.2676) FastCGI-stderr: ALERT - configured request variable name length limit exceeded - dropped variable 'P,_trading,_US_market,_Asian_market,_Dow_Jones,_FTSE,_DJIA,_DAX,_stocks,_bonds,_shares"}]},{w:"2",x:[{h:0,t:"title",c:"Century Properties Group Inc (CPG.PS) News| Reuters.com"},{h:0,t:"title",c:"Century Properties Group Inc (CPG.PS) News| Reuters.com"}]' (attacker '111.111.111.111', file '/usr/local/www/sgerror.php')Thats interesting, I found that the referenced file in your log pointing to /usr/local/www/sqerror.php doesnt exist on my 2.0.3 setup
Why does stock markets included in the error? ??? ;D
My browser tabs has the dashboard, the syslogs and this forum only. IE 9.0.8112.16421Maybe your system if telling us something…we're in for another stock market crash! Lol
I think what is happening is some browsers that are connecting directly to the firewall (webgui admins, cp users etc) are generating variables longer than the firewall has allowed, this could be some kind of news ticker, rss feed plugin or something similar.
I checked my log after my changes and to my horror I find another error, though this is a new one, I think we are getting close to solve this.
Jan 7 09:06:05 lighttpd[51116]: (mod_fastcgi.c.2676) FastCGI-stderr: ALERT - configured POST variable name length limit exceeded - dropped variable 'amp;{google:RLZ}{google:acceptedSuggestion}{google:originalQueryForSuggestion}{google:assistedQueryStats}{google:searchFieldtrialParameter}sourceid' (attacker '10.0.0.199', file '/usr/local/captiveportal/index.php')
Jan 7 09:06:05 lighttpd[51116]: (mod_fastcgi.c.2676) FastCGI-stderr: ALERT - configured POST variable name length limit exceeded - dropped variable 'amp;{google:RLZ}{google:acceptedSuggestion}{google:originalQueryForSuggestion}{google:assistedQueryStats}{google:searchFieldtrialParameter}sourceid' (attacker '10.0.0.199', file '/usr/local/captiveportal/index.php')If you notice its almost the same error as before but this time its complaining "configured POST variable name length limit exceeded", I have come across a few suhosin directives that ?seem to be missing from /etc/rc.php_ini_setup.
For my new error I will try "suhosin.post.max_name_length = 256" to rc.php_ini_setup and see what happens next, unfortunately I wont be able to test this until tonight once there is less users on my network.
DEV's: Can you please check if all of the required suhosin directives needed are in rc.php_ini_setup , I say this because it seems if they arent included in the rc.php_ini_setup file then the defaults are used instead, in some cases I have seen this value as low as 64. More specifically the suhosin.*.max_*name_length directives.
Im no coder but I think this is where the problem may come from.
-
@Abdsalem:
Thats interesting, I found that the referenced file in your log pointing to /usr/local/www/sqerror.php doesnt exist on my 2.0.3 setup
2.0.3? Mine is 2.0.2 only.
All my errors reference to this /usr/local/www/sqerror.php@Abdsalem:
I think what is happening is some browsers that are connecting directly to the firewall (webgui admins, cp users etc) are generating variables longer than the firewall has allowed, this could be some kind of news ticker, rss feed plugin or something similar.
maybe, but i check my browsers, there are no rss feed plugin or anything that might point to news feeds or alike.
@Abdsalem:
Maybe your system if telling us something…we're in for another stock market crash! Lol
is that good news or bad news? hahaha. Doomsday preppers.
I cannot see the last 5 minutes of my syslog because it is filled with```
dhcpd: DHCPDISCOVER fromcan you tell me how to view the previous logs? -
You can get the pre release images from here:-
x32 http://snapshots.pfsense.org/FreeBSD_RELENG_8_1/i386/pfSense_RELENG_2_0/updates/?C=M;O=D
x64 http://snapshots.pfsense.org/FreeBSD_RELENG_8_1/i386/pfSense_RELENG_2_0/updates/?C=M;O=D
For your logs you can try and go Status/System Log/Settings and change "Number of log entries to show:" to a value higher than the default 50, you should then be able to see more of the logs.
Every new suhosin directive I add I come across a new type of alert, the good news is the clients with the initial alerts have now stopped generating them and that is due to the new directives I added, the latest alert I get now.
Jan 7 23:18:57 lighttpd[25000]: (mod_fastcgi.c.2676) FastCGI-stderr: ALERT - configured COOKIE variable name length limit exceeded - dropped variable 'ebNewBandWidth__www_youtube_com=46%3A1357562139317;expires=Tue,_7_Jan_2014_12:35:45_UTC;_path=/;_domain=_www_youtube_com' (attacker '10.0.0.170', file '/usr/local/captiveportal/index.php')
I'll add suhosin.cookie.max_name_length = 256 (default 64) later on and see what happens next.
I have to say though at this point, I dont know if this is the right way of stopping these alerts and if I am creating new problems for myself in the future.
This is what I have added to /etc/rc.php_ini_setup so far and their values, the default values showed as 64 using phpinfo.
suhosin.request.max_varname_length = 256
suhosin.post.max_name_length = 256
suhosin.cookie.max_name_length = 256 -
sorry, i forgot to tell you that the number of log entries to show was already 2000 (maximum).
All 2000 entries are about dhcpd in just 20 seconds.dhcpd: DHCPDISCOVER from 38:60:77:f0:04:bb via em0: network 172.100.100.0/22: no free leasesbut that is just normal since i am using reserve dhcp in my lan.
I have to say though at this point, I dont know if this is the right way of stopping these alerts and if I am creating new problems for myself in the future.
that's what i thought also, we might solve one problem and create another two in the future. ;D
no offense, but i was very grateful for your help.anyway, i built another two 2.0.2 boxes for my CARP and there is no error in the syslog. even without the gitsync procedure.
-
One second after I login to the webgui in IE. I am sure I did not set the auto complete in my browser.
lighttpd[38781]: (mod_fastcgi.c.2676) FastCGI-stderr: ALERT - configured GET variable name length limit exceeded - dropped variable 'yui:3_5_1/build/autocomplete-highlighters/autocomplete-highlighters-min_js' (attacker '111.111.111.111', file '/usr/local/www/sgerror.php') ALERT - configured GET variable name length limit exceeded - dropped variable 'yui:gallery-2011_04_20-13-04/build/gallery-node-tokeninput/gallery-node-tokeninput-min_js' (attacker '111.111.111.111', file '/usr/local/www/sgerror.php') ALERT - configured GET variable name length limit exceeded - dropped variable 'yui:gallery-2011_04_20-13-04/build/gallery-storage-lite/gallery-storage-lite-min_js' (attacker '111.111.111.111', file '/usr/local/www/sgerror.php') -
I just wanted to report that I installed a pre release 2.0.3 upgrade image, I have been running this for almost 24 hours and I havent seen a fastcgi alert so far, I left the default rc.php_ini_setup as it was, without any additional changes from myself.
-
I spoke too soon…
Jan 10 09:16:01 lighttpd[26376]: (mod_fastcgi.c.2676) FastCGI-stderr: ALERT - configured request variable name length limit exceeded - dropped variable 'DmMkQ0oXjjYsifmGE27WfNUhGd0wLNtH/h2kT7h1Fe5s
Jan 10 09:16:01 lighttpd[26376]: (mod_fastcgi.c.2676) FastCGI-stderr: ALERT - configured request variable name length limit exceeded - dropped variable 'DmMkQ0oXjjYsifmGE27WfNUhGd0wLNtH/h2kT7h1Fe5Also I installed the squid 3.2 package last night and I think this maybe related but then again it might not be.
Jan 10 16:52:04 lighttpd[26376]: (mod_fastcgi.c.2676) FastCGI-stderr: ALERT - ASCII-NUL chars not allowed within request variables - dropped variable 'checklic' (attacker '10.0.0.156', file '/usr/local/captiveportal/index.php')
I've truncated the first alert as it messed up the post and because it looks like some kind of session or similar.
-
I am also having this in my sys log.
Mar 11 22:52:12 lighttpd[53690]: (mod_fastcgi.c.2676) FastCGI-stderr: ALERT - configured request variable name length limit exceeded - dropped variable 'upqchi07vFfAFuBjnIKGIwiLrHo3Vt68T3yqvhQu2TqetQ78roy7Q6bpTfDUtYFR593/MA' (attacker '192.168.2.77', file '/usr/local/captiveportal/index.php')
Mar 11 22:52:12 lighttpd[53690]: (mod_fastcgi.c.2676) FastCGI-stderr: ALERT - configured request variable name length limit exceeded - dropped variable 'upqchi07vFfAFuBjnIKGIwiLrHo3Vt68T3yqvhQu2TqetQ78roy7Q6bpTfDUtYFR593/MA' (attacker '192.168.2.77', file '/usr/local/captiveportal/index.php')
Mar 11 22:52:08 lighttpd[53690]: (mod_fastcgi.c.2676) FastCGI-stderr: ALERT - configured request variable name length limit exceeded - dropped variable 'upqchi07vFfAFuBjnIKGIwiLrHo3Vt68T3yqvhQu2TqetQ78roy7Q6bpTfDUtYFR593/MA' (attacker '192.168.2.77', file '/usr/local/captiveportal/index.php')
Mar 11 22:52:08 lighttpd[53690]: (mod_fastcgi.c.2676) FastCGI-stderr: ALERT - configured request variable name length limit exceeded - dropped variable 'upqchi07vFfAFuBjnIKGIwiLrHo3Vt68T3yqvhQu2TqetQ78roy7Q6bpTfDUtYFR593/MA' (attacker '192.168.2.77', file '/usr/local/captiveportal/index.php')
Mar 11 22:52:07 lighttpd[53690]: (mod_fastcgi.c.2676) FastCGI-stderr: ALERT - configured request variable name length limit exceeded - dropped variable 'upqchi07vFfAFuBjnIKGIwiLrHo3Vt68T3yqvhQu2TqetQ78roy7Q6bpTfDUtYFR593/MA' (attacker '192.168.2.77', file '/usr/local/captiveportal/index.php')
Mar 11 22:52:07 lighttpd[53690]: (mod_fastcgi.c.2676) FastCGI-stderr: ALERT - configured request variable name length limit exceeded - dropped variable 'upqchi07vFfAFuBjnIKGIwiLrHo3Vt68T3yqvhQu2TqetQ78roy7Q6bpTfDUtYFR593/MA' (attacker '192.168.2.77', file '/usr/local/captiveportal/index.php')
Mar 11 22:52:06 lighttpd[53690]: (mod_fastcgi.c.2676) FastCGI-stderr: ALERT - configured request variable name length limit exceeded - dropped variable 'upqchSo7uFLEFuVgnIKGIwiLrHo3Vt68T3yqvhQu2TqetQ78roy7Q6bpTfDUtYIftZ33Mx4GKwAg9mY3qw' (attacker '192.168.2.16', file '/usr/local/captiveportal/index.php')
Mar 11 22:52:06 lighttpd[53690]: (mod_fastcgi.c.2676) FastCGI-stderr: ALERT - configured request variable name length limit exceeded - dropped variable 'upqchSo7uFLEFuVgnIKGIwiLrHo3Vt68T3yqvhQu2TqetQ78roy7Q6bpTfDUtYIftZ33Mx4GKwAg9mY3qw' (attacker '192.168.2.16', file '/usr/local/captiveportal/index.php')I hope to know what is causing this.