FastCGI-stderr Alert - configured request variable name length limit exceeded

Slam

I've upgraded from 2.0.1 to 2.0.2 64bit version and have noticed the following alert in my logs, at least one other forum user has the same problem, although theirs is related to a dashboard widget, mine relates to a link on a custom captive portal page.

Jan 4 08:22:23 lighttpd[40989]: (mod_fastcgi.c.2676) FastCGI-stderr: ALERT - configured request variable name length limit exceeded - dropped variable…

I think /etc/rc.php_ini_setup is missing

suhosin.request.max_varname_length

And php is using the defaults

suhosin.request.max_varname_length (default 64)

Maybe 64 (char?) isnt long enough in some cases?

eri--

Are you using that long var name?
Also can you gitsync to latest RELENG_2_0 and see if you still get the warning?

Slam

I gitsynced and I still had the problem

Jan 4 20:05:25 lighttpd[27888]: (mod_fastcgi.c.2676) FastCGI-stderr: ALERT - configured request variable name length limit exceeded - dropped variable 'amp;{google:RLZ}{google:acceptedSuggestion}{google:originalQueryForSuggestion}{google:assistedQueryStats}{google:searchFieldtrialParameter}sourceid' (attacker '10.0.0.205', file '/usr/local/captiveportal/index.php')
Jan 4 20:05:25 lighttpd[27888]: (mod_fastcgi.c.2676) FastCGI-stderr: ALERT - configured request variable name length limit exceeded - dropped variable 'amp;{google:RLZ}{google:acceptedSuggestion}{google:originalQueryForSuggestion}{google:assistedQueryStats}{google:searchFieldtrialParameter}sourceid' (attacker '10.0.0.205', file '/usr/local/captiveportal/index.php')

@ermal:

Are you using that long var name?

No sorry, Ive come to the conclusion it has nothing to do with my portal page or links within it, I cant reproduce the error myself and I dont know what browser the clients generating this error are using, but I think its Chrome as any search on the internet for that alert, relates to its default home page or variations of it.

default_search_provider: search_url = CHR - default_search_provider: search_url = {google:baseURL}search?q={searchTerms}&{google:RLZ}{google:acceptedSuggestion}{google:originalQueryForSuggestion}{google:assistedQueryStats}{google:searchFieldtrialParameter}sourceid=chrome&ie={inputEncoding}

In any case its over 64 char long and also the dropped variable of the other forum user reporting the same problem, his was also over 64 char long.

@jikjik101:

Jan 4 08:22:23	lighttpd[40989]: (mod_fastcgi.c.2676) FastCGI-stderr: ALERT - configured request variable name length limit exceeded - dropped variable 'yui:3_5_1/widget-position-constrain/widget-position-constrain-min_js' (attacker '111.111.111.111', file '/usr/local/www/sgerror.php')
Jan 4 08:22:23	lighttpd[40989]: (mod_fastcgi.c.2676) FastCGI-stderr: ALERT - configured request variable name length limit exceeded - dropped variable 'yui:3_5_1/widget-position-constrain/widget-position-constrain-min_js' (attacker '111.111.111.111', file '/usr/local/www/sgerror.php')
Jan 4 08:11:37	lighttpd[40989]: (mod_fastcgi.c.2676) FastCGI-stderr: ALERT - configured request variable name length limit exceeded - dropped variable 'yui:3_5_1/build/querystring-stringify-simple/querystring-stringify-simple-min_js' (attacker '111.111.111.111', file '/usr/local/www/sgerror.php')
Jan 4 08:11:37	lighttpd[40989]: (mod_fastcgi.c.2676) FastCGI-stderr: ALERT - configured request variable name length limit exceeded - dropped variable 'yui:3_5_1/build/querystring-stringify-simple/querystring-stringify-simple-min_js' (attacker '111.111.111.111', file '/usr/local/www/sgerror.php')

I asked him to to remove his IPsec widget he said he had installed and he said no more errors were being reported in the syslog

For now I have added missing part and bumped the default 64 to 128

suhosin.request.max_varname_length = 128

to /etc/rc.php_ini_setup and ran the script afterwards to update the php.ini's on the firewall, so far the errors have gone away.

Ill test for another 24 hours and change the value to 64 and see if the errors come back?

jikjik101

the IPSec and the System Information widgets caused the problem.
I think it has to do with the Uptime bar in the System Information widget.

Can you also please check that?

Edit: Still has```
lighttpd[35079]: (mod_fastcgi.c.2676) FastCGI-stderr: ALERT - configured request variable name length limit exceeded - dropped variable 'yui:3_5_1/build/querystring-stringify/querystring-stringify-min_js'

Widgets on dashboard: Traffic graphs, gateways and interfaces.
I'll try to remove them one by one and repost if i'll encounter same error.

For the meantime, ill try your fix.

Slam

I just checked my logs this morning and found one instance of the dropped variable, I made a phpinfo file on the firewall and realised the entered value (128) I had set in /etc/rc.php_ini_setup was being ignored, I dont know where else this is set at this point.

The reason I thought in your case it was only IPsec is because I also have the System Information widget and it doesnt throw out the exact same error, can you tell me, do you use Chrome browser? if so could you try another browser as it seems you can generate this error yourself, I've tried for 2 days and I cant reproduce it, even though I can see this warning coming from at least 5 different clients of mine.

jikjik101

2 hours running and no error, this time without the IPSec widget.

Yup, im running Chrome.
I also tested it with Firefox and IE for the last two hours and both have same results with Chrome.
No error without the IPSec widget.

jikjik101

Update:
Same error:```
lighttpd[35079]: (mod_fastcgi.c.2676) FastCGI-stderr: ALERT - configured request variable name length limit exceeded - dropped variable 'yui:3_5_1/build/autocomplete-list-keys/autocomplete-list-keys-min_js'

No IPSec widget on dashboard but with System Information.
I will remove Sys Inf widget and post observation later.

Slam

Im still trying to figure out how to make my changes work, phpinfo is giving me different value than what I set, I've run /etc/rc.php_ini_setup and reboot but nothing, I dont know if the information phpinfo is showing me is cached from somewhere?

my added line to the default /etc/rc.php_ini_setup which when run correctly populates /usr/local/etc/php.ini and /usr/local/lib/php.ini

[suhosin]
suhosin.get.max_array_depth = 5000
suhosin.get.max_array_index_length = 256
suhosin.get.max_vars = 5000
suhosin.get.max_value_length = 500000
suhosin.post.max_array_depth = 5000
suhosin.post.max_array_index_length = 256
suhosin.post.max_vars = 5000
suhosin.post.max_value_length = 500000
suhosin.request.max_array_depth = 5000
suhosin.request.max_array_index_length = 256
suhosin.request.max_vars = 5000
suhosin.request.max_value_length = 500000
suhosin.request.max_varname_length = 256
suhosin.memory_limit = 512435456

I run the same widget as you and get no such error, are you using some kind of Chrome plugin for autocomplete?

jikjik101

I primarily use Chrome. The dashboard is usually open 24/7 on our server.
I will try to close it this time and check on my workstation using IE or FF.

Chrome has no plugins except for DAP and weather.
No autocomplete also.

Slam

I cant generate the alert with any browser that I try, I am using Chrome 23.0.1271.97 with just a few plugins, I've tried FF and IE8 but still no alerts.

What I've done so far is add the red highlighted suhosin directive above to my /etc/rc.php_ini_setup and then run the script, I then created a folder in /usr/local/etc/ called php and copied /usr/local/etc/php.ini to newly created folder - /usr/local/etc/php/php.ini is now able to be read with phpinfo();

I dont know if this is the right way of doing it.

I've rebooted just to be sure and now I can test properly, originally I bumped the value from the default 64 to 128 and still got the FastCGI alerts, I'll report back if I get the same with the value bumped to 256, once the clients start accessing the network.

jikjik101

IE has different errors:

Jan 7 14:07:24 lighttpd[35079]: (mod_fastcgi.c.2676) FastCGI-stderr: ALERT - configured request variable name length limit exceeded - dropped variable 'P,_trading,_US_market,_Asian_market,_Dow_Jones,_FTSE,_DJIA,_DAX,_stocks,_bonds,_shares"}]},{w:"2",x:[{h:0,t:"title",c:"Century Properties Group Inc (CPG.PS) News| Reuters.com"},{h:0,t:"title",c:"Century Properties Group Inc (CPG.PS) News| Reuters.com"}]' (attacker '111.111.111.111', file '/usr/local/www/sgerror.php')
Jan 7 14:07:24 lighttpd[35079]: (mod_fastcgi.c.2676) FastCGI-stderr: ALERT - configured request variable name length limit exceeded - dropped variable 'P,_trading,_US_market,_Asian_market,_Dow_Jones,_FTSE,_DJIA,_DAX,_stocks,_bonds,_shares"}]},{w:"2",x:[{h:0,t:"title",c:"Century Properties Group Inc (CPG.PS) News| Reuters.com"},{h:0,t:"title",c:"Century Properties Group Inc (CPG.PS) News| Reuters.com"}]' (attacker '111.111.111.111', file '/usr/local/www/sgerror.php')

Why does stock markets included in the error?  ??? ;D
My browser tabs has the dashboard, the syslogs and this forum only. IE 9.0.8112.16421

But```
Jan 7 14:05:05 lighttpd[35079]: (mod_fastcgi.c.2676) FastCGI-stderr: ALERT - configured request variable name length limit exceeded - dropped variable 'yui:gallery-2011_04_20-13-04/build/gallery-jsonp/gallery-jsonp-min_js' (attacker ....

Slam

@jikjik101:

IE has different errors:

Jan 7 14:07:24 lighttpd[35079]: (mod_fastcgi.c.2676) FastCGI-stderr: ALERT - configured request variable name length limit exceeded - dropped variable 'P,_trading,_US_market,_Asian_market,_Dow_Jones,_FTSE,_DJIA,_DAX,_stocks,_bonds,_shares"}]},{w:"2",x:[{h:0,t:"title",c:"Century Properties Group Inc (CPG.PS) News| Reuters.com"},{h:0,t:"title",c:"Century Properties Group Inc (CPG.PS) News| Reuters.com"}]' (attacker '111.111.111.111', file '/usr/local/www/sgerror.php')
Jan 7 14:07:24 lighttpd[35079]: (mod_fastcgi.c.2676) FastCGI-stderr: ALERT - configured request variable name length limit exceeded - dropped variable 'P,_trading,_US_market,_Asian_market,_Dow_Jones,_FTSE,_DJIA,_DAX,_stocks,_bonds,_shares"}]},{w:"2",x:[{h:0,t:"title",c:"Century Properties Group Inc (CPG.PS) News| Reuters.com"},{h:0,t:"title",c:"Century Properties Group Inc (CPG.PS) News| Reuters.com"}]' (attacker '111.111.111.111', file '/usr/local/www/sgerror.php')

Thats interesting, I found that the referenced file  in your log pointing to /usr/local/www/sqerror.php doesnt exist on my 2.0.3 setup

Why does stock markets included in the error?  ??? ;D
My browser tabs has the dashboard, the syslogs and this forum only. IE 9.0.8112.16421

Maybe your system if telling us something…we're in for another stock market crash! Lol

I think what is happening is some browsers that are connecting directly to the firewall (webgui admins, cp users etc) are generating variables longer than the firewall has allowed, this could be some kind of news ticker, rss feed plugin or something similar.

I checked my log after my changes and to my horror I find another error, though this is a new one, I think we are getting close to solve this.

Jan 7 09:06:05 lighttpd[51116]: (mod_fastcgi.c.2676) FastCGI-stderr: ALERT - configured POST variable name length limit exceeded - dropped variable 'amp;{google:RLZ}{google:acceptedSuggestion}{google:originalQueryForSuggestion}{google:assistedQueryStats}{google:searchFieldtrialParameter}sourceid' (attacker '10.0.0.199', file '/usr/local/captiveportal/index.php')
Jan 7 09:06:05 lighttpd[51116]: (mod_fastcgi.c.2676) FastCGI-stderr: ALERT - configured POST variable name length limit exceeded - dropped variable 'amp;{google:RLZ}{google:acceptedSuggestion}{google:originalQueryForSuggestion}{google:assistedQueryStats}{google:searchFieldtrialParameter}sourceid' (attacker '10.0.0.199', file '/usr/local/captiveportal/index.php')

If you notice its almost the same error as before but this time its complaining "configured POST variable name length limit exceeded", I have come across a few suhosin directives that ?seem to be missing from /etc/rc.php_ini_setup.

For my new error I will try "suhosin.post.max_name_length = 256" to rc.php_ini_setup and see what happens next, unfortunately I wont be able to test this until tonight once there is less users on my network.

DEV's: Can you please check if all of the required suhosin directives needed are in rc.php_ini_setup , I say this because it seems if they arent included in the rc.php_ini_setup file then the defaults are used instead, in some cases I have seen this value as low as 64.  More specifically the suhosin.*.max_*name_length directives.

Im no coder but I think this is where the problem may come from.

jikjik101

@Abdsalem:

Thats interesting, I found that the referenced file  in your log pointing to /usr/local/www/sqerror.php doesnt exist on my 2.0.3 setup

2.0.3? Mine is 2.0.2 only.
All my errors reference to this /usr/local/www/sqerror.php

@Abdsalem:

I think what is happening is some browsers that are connecting directly to the firewall (webgui admins, cp users etc) are generating variables longer than the firewall has allowed, this could be some kind of news ticker, rss feed plugin or something similar.

maybe, but i check my browsers, there are no rss feed plugin or anything that might point to news feeds or alike.

@Abdsalem:

Maybe your system if telling us something…we're in for another stock market crash! Lol

is that good news or bad news? hahaha. Doomsday preppers.

I cannot see the last 5 minutes of my syslog because it is filled with```
dhcpd: DHCPDISCOVER from

can you tell me how to view the previous logs?

Slam

You can get the pre release images from here:-

x32 http://snapshots.pfsense.org/FreeBSD_RELENG_8_1/i386/pfSense_RELENG_2_0/updates/?C=M;O=D

x64 http://snapshots.pfsense.org/FreeBSD_RELENG_8_1/i386/pfSense_RELENG_2_0/updates/?C=M;O=D

For your logs you can try and go Status/System Log/Settings and change "Number of log entries to show:"  to a value higher than the default 50, you should then be able to see more of the logs.

Every new suhosin directive I add I come across a new type of alert, the good news is the clients with the initial alerts have now stopped generating them and that is due to the new directives I added, the latest alert I get now.

Jan 7 23:18:57 lighttpd[25000]: (mod_fastcgi.c.2676) FastCGI-stderr: ALERT - configured COOKIE variable name length limit exceeded - dropped variable 'ebNewBandWidth__www_youtube_com=46%3A1357562139317;expires=Tue,_7_Jan_2014_12:35:45_UTC;_path=/;_domain=_www_youtube_com' (attacker '10.0.0.170', file '/usr/local/captiveportal/index.php')

I'll add suhosin.cookie.max_name_length = 256 (default 64) later on and see what happens next.

I have to say though at this point, I dont know if this is the right way of stopping these alerts and if I am creating new problems for myself in the future.

This is what I have added to /etc/rc.php_ini_setup so far and their values, the default values showed as 64 using phpinfo.

suhosin.request.max_varname_length =  256
suhosin.post.max_name_length = 256
suhosin.cookie.max_name_length = 256

jikjik101

sorry, i forgot to tell you that the number of log entries to show was already 2000 (maximum).
All 2000 entries are about dhcpd in just 20 seconds.

dhcpd: DHCPDISCOVER from 38:60:77:f0:04:bb via em0: network 172.100.100.0/22: no free leases

but that is just normal since i am using reserve dhcp in my lan.

I have to say though at this point, I dont know if this is the right way of stopping these alerts and if I am creating new problems for myself in the future.

that's what i thought also, we might solve one problem and create another two in the future.  ;D
no offense, but i was very grateful for your help.

anyway, i built another two 2.0.2 boxes for my CARP and there is no error in the syslog. even without the gitsync procedure.

jikjik101

One second after I login to the webgui in IE. I am sure I did not set the auto complete in my browser.

lighttpd[38781]: (mod_fastcgi.c.2676) FastCGI-stderr: ALERT - configured GET variable name length limit exceeded - dropped variable 'yui:3_5_1/build/autocomplete-highlighters/autocomplete-highlighters-min_js' (attacker '111.111.111.111', file '/usr/local/www/sgerror.php') ALERT - configured GET variable name length limit exceeded - dropped variable 'yui:gallery-2011_04_20-13-04/build/gallery-node-tokeninput/gallery-node-tokeninput-min_js' (attacker '111.111.111.111', file '/usr/local/www/sgerror.php') ALERT - configured GET variable name length limit exceeded - dropped variable 'yui:gallery-2011_04_20-13-04/build/gallery-storage-lite/gallery-storage-lite-min_js' (attacker '111.111.111.111', file '/usr/local/www/sgerror.php')

Slam

I just wanted to report that I installed a pre release 2.0.3 upgrade image, I have been running this for almost 24 hours and I havent seen a fastcgi alert so far, I left the default rc.php_ini_setup as it was, without any additional changes from myself.

Slam

I spoke too soon…

Jan 10 09:16:01 lighttpd[26376]: (mod_fastcgi.c.2676) FastCGI-stderr: ALERT - configured request variable name length limit exceeded - dropped variable 'DmMkQ0oXjjYsifmGE27WfNUhGd0wLNtH/h2kT7h1Fe5s
Jan 10 09:16:01 lighttpd[26376]: (mod_fastcgi.c.2676) FastCGI-stderr: ALERT - configured request variable name length limit exceeded - dropped variable 'DmMkQ0oXjjYsifmGE27WfNUhGd0wLNtH/h2kT7h1Fe5

Also I installed the squid 3.2 package last night and I think this maybe related but then again it might not be.

Jan 10 16:52:04 lighttpd[26376]: (mod_fastcgi.c.2676) FastCGI-stderr: ALERT - ASCII-NUL chars not allowed within request variables - dropped variable 'checklic' (attacker '10.0.0.156', file '/usr/local/captiveportal/index.php')

I've truncated the first alert as it messed up the post and because it looks like some kind of session or similar.

dpa

I am also having this in my sys log.

Mar 11 22:52:12 lighttpd[53690]: (mod_fastcgi.c.2676) FastCGI-stderr: ALERT - configured request variable name length limit exceeded - dropped variable 'upqchi07vFfAFuBjnIKGIwiLrHo3Vt68T3yqvhQu2TqetQ78roy7Q6bpTfDUtYFR593/MA' (attacker '192.168.2.77', file '/usr/local/captiveportal/index.php')
Mar 11 22:52:12 lighttpd[53690]: (mod_fastcgi.c.2676) FastCGI-stderr: ALERT - configured request variable name length limit exceeded - dropped variable 'upqchi07vFfAFuBjnIKGIwiLrHo3Vt68T3yqvhQu2TqetQ78roy7Q6bpTfDUtYFR593/MA' (attacker '192.168.2.77', file '/usr/local/captiveportal/index.php')
Mar 11 22:52:08 lighttpd[53690]: (mod_fastcgi.c.2676) FastCGI-stderr: ALERT - configured request variable name length limit exceeded - dropped variable 'upqchi07vFfAFuBjnIKGIwiLrHo3Vt68T3yqvhQu2TqetQ78roy7Q6bpTfDUtYFR593/MA' (attacker '192.168.2.77', file '/usr/local/captiveportal/index.php')
Mar 11 22:52:08 lighttpd[53690]: (mod_fastcgi.c.2676) FastCGI-stderr: ALERT - configured request variable name length limit exceeded - dropped variable 'upqchi07vFfAFuBjnIKGIwiLrHo3Vt68T3yqvhQu2TqetQ78roy7Q6bpTfDUtYFR593/MA' (attacker '192.168.2.77', file '/usr/local/captiveportal/index.php')
Mar 11 22:52:07 lighttpd[53690]: (mod_fastcgi.c.2676) FastCGI-stderr: ALERT - configured request variable name length limit exceeded - dropped variable 'upqchi07vFfAFuBjnIKGIwiLrHo3Vt68T3yqvhQu2TqetQ78roy7Q6bpTfDUtYFR593/MA' (attacker '192.168.2.77', file '/usr/local/captiveportal/index.php')
Mar 11 22:52:07 lighttpd[53690]: (mod_fastcgi.c.2676) FastCGI-stderr: ALERT - configured request variable name length limit exceeded - dropped variable 'upqchi07vFfAFuBjnIKGIwiLrHo3Vt68T3yqvhQu2TqetQ78roy7Q6bpTfDUtYFR593/MA' (attacker '192.168.2.77', file '/usr/local/captiveportal/index.php')
Mar 11 22:52:06 lighttpd[53690]: (mod_fastcgi.c.2676) FastCGI-stderr: ALERT - configured request variable name length limit exceeded - dropped variable 'upqchSo7uFLEFuVgnIKGIwiLrHo3Vt68T3yqvhQu2TqetQ78roy7Q6bpTfDUtYIftZ33Mx4GKwAg9mY3qw' (attacker '192.168.2.16', file '/usr/local/captiveportal/index.php')
Mar 11 22:52:06 lighttpd[53690]: (mod_fastcgi.c.2676) FastCGI-stderr: ALERT - configured request variable name length limit exceeded - dropped variable 'upqchSo7uFLEFuVgnIKGIwiLrHo3Vt68T3yqvhQu2TqetQ78roy7Q6bpTfDUtYIftZ33Mx4GKwAg9mY3qw' (attacker '192.168.2.16', file '/usr/local/captiveportal/index.php')

I hope to know what is causing this.