BlueSpice - User contributions [en]

How to debug

2023-12-15T15:50:57Z

Rvogel:

==Help others to help you==
Sometimes things go wrong. In many cases the user is then confronted with cryptic or no error messages at all. This page provides help about getting more information about what exactly went wrong, so it can be fixed quickly. This is especially important when asking for help on locations like [https://community.bluespice.com community.bluespice.com].

Additional information can also be found at [[mediawikiwiki:Manual:How_to_debug|"Manual:How to debug" on MediaWiki.org]].

{{Textbox|boxtype=warning|header=Check for sensitive information|text=Most of the techniques described here will output very detailed information about the error, but also about the system and the context. The output may contain sensitive information like usernames, passwords, pathes, access-keys and many more. Before posting any information retrieved by this kind of debugging on a public location (like [https://community.bluespice.com community.bluespice.com]), make sure to redact all potential sensitive information!|icon=yes}}

== Generic information ==
In general it is a good idea to provide additional context information about the error. Usually this information is easily to access/gather by the one who reports an error and very valueable to anyone trying to help.

Such information can be
* Browser used (Firefox, Chrome, Edge, ...), ideally with the version
* URLs (which page the error occurs on, additional parameters that may play into the error)
* User permission level or role (admin, reader, editor, reviewer, ...)

Again: Be careful if the shared information contains sensible data and redact it if required.

== Server side debugging ==
There are various ways to get more information about errors by changing some configuration on the server side.

=== Wiki application ===

==== Enable detailed error reporting ====
Within you <code>LocalSettings.php</code> file, please add the following lines:<syntaxhighlight lang="php">
$GLOBALS['wgShowSQLErrors'] = true;
$GLOBALS['wgDebugDumpSql'] = true;
$GLOBALS['wgShowExceptionDetails'] = true;
$GLOBALS['wgShowDBErrorBacktrace'] = true;

</syntaxhighlight>This will turn error messages like <code>internal_api_error_DBQueryError</code> into a more detailed stack of program calls, including database queries and responses.

==== General debug log ====
Sometimes it can be useful to see all debugging information the application produces. To enable this general debug log please add the following lines within you <code>LocalSettings.php</code> file:<syntaxhighlight lang="php">
if ( isset( $_GET['dodebuglog'] ) ) {
$GLOBALS['wgDebugLogFile'] = "$IP/cache/debug.log";
}

</syntaxhighlight>Be aware that this configuration is set conditionally. It will only be used if the URL accessed in the browser contains some query string like <code>dodebuglog=1</code>. This is to allow a more isolated debug log file. Otherwise other requests (like calls to the <code>load.php</code> entrypoint for CSS and JS content) may also add into this file, which makes analysis more difficult.

==== Log channels ====

== Client side debugging ==
Many errors occur only on the client and server side debugging will not help. In such cases the webbrowser can be used to retrieve more information.

=== Browser development tools ===
Most modern browsers have sophisticated development tools. Usually they can be accessed by pressing the <code>F12</code> key on the keyboard.

==== JavaScript console ====
When some interface element (button, dialog, ...) does not behave like it should, it is usually worth checking the browsers JavaScript console.

{{Textbox|boxtype=tip|header=Nothing listed?|text=Sometimes it may be required to re-do the action that lead to the error with ''open console'' rather than opening it later.}}

'''Example:'''

[[File:How_to_debug_JS_console_01.png|center|frame]]

One can click the link on the right side of the line to see the location of where the error has emerged from.

'''Example:'''

[[File:How_to_debug_JS_console_02.png|center|frame]]

====Network panel====
Sometimes network communication in the background of the application fails. In such cases, the "Network" panel of the browsers developer tools may reveal more information.

The error is also shown in the "Console" tab.

'''Example:'''

[[File:How_to_debug_Network_panel_01.png|center|frame]]

When in the "Network" panel, one can select the faulty request from the list to get more information.

'''Example:'''

[[File:How_to_debug_Network_panel_02.png|center|frame]]

The various tabs "Header", "Payload", "Response", etc. can provide useful information. When reporting such an issue, you can just "copy" the information using the context menu.

'''Example:'''

[[File:How_to_debug_Network_panel_03.png|center|frame]]

How to debug

2023-12-15T15:50:06Z

Rvogel:

==Help others to help you==
Sometimes things go wrong. In many cases the user is then confronted with cryptic or no error messages at all. This page provides help about getting more information about what exactly went wrong, so it can be fixed quickly. This is especially important when asking for help on locations like [https://community.bluespice.com community.bluespice.com].

Additional information can also be found at [[mediawikiwiki:Manual:How_to_debug|"Manual:How to debug" on MediaWiki.org]].

{{Textbox|boxtype=warning|header=Check for sensitive information|text=Most of the techniques described here will output very detailed information about the error, but also about the system and the context. The output may contain sensitive information like usernames, passwords, pathes, access-keys and many more. Before posting any information retrieved by this kind of debugging on a public location (like [https://community.bluespice.com community.bluespice.com]), make sure to redact all potential sensitive information!|icon=yes}}

== Generic information ==
In general it is a good idea to provide additional context information about the error. Usually this information is easily to access/gather by the one who reports an error and very valueable to anyone trying to help.

Such information can be
* Browser used (Firefox, Chrome, Edge, ...), ideally with the version
* URLs (which page the error occurs on, additional parameters that may play into the error)
* User permission level or role (admin, reader, editor, reviewer, ...)

Again: Be careful if the shared information contains sensible data and redact it if required.

== Server side debugging ==
There are various ways to get more information about errors by changing some configuration on the server side.

=== Wiki application ===

==== Enable detailed error reporting ====
Within you <code>LocalSettings.php</code> file, please add the following lines:<syntaxhighlight lang="php">
$GLOBALS['wgShowSQLErrors'] = true;
$GLOBALS['wgDebugDumpSql'] = true;
$GLOBALS['wgShowExceptionDetails'] = true;
$GLOBALS['wgShowDBErrorBacktrace'] = true;

</syntaxhighlight>This will turn error messages like <code>internal_api_error_DBQueryError</code> into a more detailed stack of program calls, including database queries and responses.

==== General debug log ====
Sometimes it can be useful to see all debugging information the application produces. To enable this general debug log please add the following lines within you <code>LocalSettings.php</code> file:<syntaxhighlight lang="php">
if ( isset( $_GET['dodebuglog'] ) ) {
$GLOBALS['wgDebugLogFile'] = "$IP/cache/debug.log";
}

</syntaxhighlight>Be aware that this configuration is set conditionally. It will only be used if the URL accessed in the browser contains some query string like <code>dodebuglog=1</code>. This is to allow a more isolated debug log file. Otherwise other requests (like calls to the <code>load.php</code> entrypoint for CSS and JS content) may also add into this file, which makes analysis more difficult.

==== Log channels ====

== Client side debugging ==
Many errors occur only on the client and server side debugging will not help. In such cases the webbrowser can be used to retrieve more information.

=== Browser development tools ===
Most modern browsers have sophisticated development tools. Usually they can be accessed by pressing the <code>F12</code> key on the keyboard.

==== JavaScript console ====
When some interface element (button, dialog, ...) does not behave like it should, it is usually worth checking the browsers JavaScript console.

{{Textbox|boxtype=tip|header=Nothing listed?|text=Sometimes it may be required to re-do the action that lead to the error with ''open console'' rather than opening it later.}}
'''Example:'''
[[File:How_to_debug_JS_console_01.png|center|frame]]
One can click the link on the right side of the line to see the location of where the error has emerged from.

'''Example:'''
[[File:How_to_debug_JS_console_02.png|center|frame]]

====Network panel====
Sometimes network communication in the background of the application fails. In such cases, the "Network" panel of the browsers developer tools may reveal more information.

The error is also shown in the "Console" tab.

'''Example:'''[[File:How_to_debug_Network_panel_01.png|center|frame]]When in the "Network" panel, one can select the faulty request from the list to get more information.

'''Example:'''[[File:How_to_debug_Network_panel_02.png|center|frame]]The various tabs "Header", "Payload", "Response", etc. can provide useful information. When reporting such an issue, you can just "copy" the information using the context menu.

'''Example:'''[[File:How_to_debug_Network_panel_03.png|center|frame]]

How to debug

2023-12-15T15:43:32Z

Rvogel:

==Help others to help you==
Sometimes things go wrong. In many cases the user is then confronted with cryptic or no error messages at all. This page provides help about getting more information about what exactly went wrong, so it can be fixed quickly. This is especially important when asking for help on locations like [https://community.bluespice.com community.bluespice.com].

Additional information can also be found at [[mediawikiwiki:Manual:How_to_debug|"Manual:How to debug" on MediaWiki.org]].

{{Textbox|boxtype=warning|header=Check for sensitive information|text=Most of the techniques described here will output very detailed information about the error, but also about the system and the context. The output may contain sensitive information like usernames, passwords, pathes, access-keys and many more. Before posting any information retrieved by this kind of debugging on a public location (like [https://community.bluespice.com community.bluespice.com]), make sure to redact all potential sensitive information!|icon=yes}}

== Generic information ==
In general it is a good idea to provide additional context information about the error. Usually this information is easily to access/gather by the one who reports an error and very valueable to anyone trying to help.

Such information can be
* Browser used (Firefox, Chrome, Edge, ...), ideally with the version
* URLs (which page the error occurs on, additional parameters that may play into the error)
* User permission level or role (admin, reader, editor, reviewer, ...)

Again: Be careful if the shared information contains sensible data and redact it if required.

== Server side debugging ==
There are various ways to get more information about errors by changing some configuration on the server side.

=== Wiki application ===

==== Enable detailed error reporting ====
Within you <code>LocalSettings.php</code> file, please add the following lines:<syntaxhighlight lang="php">
$GLOBALS['wgShowSQLErrors'] = true;
$GLOBALS['wgDebugDumpSql'] = true;
$GLOBALS['wgShowExceptionDetails'] = true;
$GLOBALS['wgShowDBErrorBacktrace'] = true;

</syntaxhighlight>This will turn error messages like <code>internal_api_error_DBQueryError</code> into a more detailed stack of program calls, including database queries and responses.

==== General debug log ====
Sometimes it can be useful to see all debugging information the application produces. To enable this general debug log please add the following lines within you <code>LocalSettings.php</code> file:<syntaxhighlight lang="php">
if ( isset( $_GET['dodebuglog'] ) ) {
$GLOBALS['wgDebugLogFile'] = "$IP/cache/debug.log";
}

</syntaxhighlight>Be aware that this configuration is set conditionally. It will only be used if the URL accessed in the browser contains some query string like <code>dodebuglog=1</code>. This is to allow a more isolated debug log file. Otherwise other requests (like calls to the <code>load.php</code> entrypoint for CSS and JS content) may also add into this file, which makes analysis more difficult.

==== Log channels ====

== Client side debugging ==
Many errors occur only on the client and server side debugging will not help. In such cases the webbrowser can be used to retrieve more information.

=== Browser development tools ===
Most modern browsers have sophisticated development tools. Usually they can be accessed by pressing the <code>F12</code> key on the keyboard.

==== JavaScript console ====
When some interface element (button, dialog, ...) does not behave like it should, it is usually worth checking the browsers JavaScript console.

{{Textbox|boxtype=tip|header=Nothing listed?|text=Sometimes it may be required to re-do the action that lead to the error with ''open console'' rather than opening it later.}}
[[File:How_to_debug_JS_console_01.png|center|frame]]
'''Example:'''
[[File:How_to_debug_JS_console_02.png|center|frame]]

==== Network panel ====
[[File:How_to_debug_Network_panel_01.png|center|frame]]
[[File:How_to_debug_Network_panel_02.png|center|frame]]
[[File:How_to_debug_Network_panel_03.png|center|frame]]

How to debug

2023-12-13T10:09:30Z

Rvogel:

==Help others to help you==
Sometimes things go wrong. In many cases the user is then confronted with cryptic or no error messages at all. This page provides help about getting more information about what exactly went wrong, so it can be fixed quickly. This is especially important when asking for help on locations like [https://community.bluespice.com community.bluespice.com].

Additional information can also be found at [[mediawikiwiki:Manual:How_to_debug|"Manual:How to debug" on MediaWiki.org]].

{{Textbox|boxtype=warning|header=Check for sensitive information|text=Most of the techniques described here will output very detailed information about the error, but also about the system and the context. The output may contain sensitive information like usernames, passwords, pathes, access-keys and many more. Before posting any information retrieved by this kind of debugging on a public location (like [https://community.bluespice.com community.bluespice.com]), make sure to redact all potential sensitive information!|icon=yes}}

== Generic information ==
In general it is a good idea to provide additional context information about the error. Usually this information is easily to access/gather by the one who reports an error and very valueable to anyone trying to help.

Such information can be
* Browser used (Firefox, Chrome, Edge, ...), ideally with the version
* URLs (which page the error occurs on, additional parameters that may play into the error)
* User permission level or role (admin, reader, editor, reviewer, ...)

Again: Be careful if the shared information contains sensible data and redact it if required.

== Server side debugging ==
There are various ways to get more information about errors by changing some configuration on the server side.

=== Wiki application ===

==== Enable detailed error reporting ====
Within you <code>LocalSettings.php</code> file, please add the following lines:<syntaxhighlight lang="php">
$GLOBALS['wgShowSQLErrors'] = true;
$GLOBALS['wgDebugDumpSql'] = true;
$GLOBALS['wgShowExceptionDetails'] = true;
$GLOBALS['wgShowDBErrorBacktrace'] = true;

</syntaxhighlight>This will turn error messages like <code>internal_api_error_DBQueryError</code> into a more detailed stack of program calls, including database queries and responses.

==== General debug log ====
Sometimes it can be useful to see all debugging information the application produces. To enable this general debug log please add the following lines within you <code>LocalSettings.php</code> file:<syntaxhighlight lang="php">
if ( isset( $_GET['dodebuglog'] ) ) {
$GLOBALS['wgDebugLogFile'] = "$IP/cache/debug.log";
}

</syntaxhighlight>Be aware that this configuration is set conditionally. It will only be used if the URL accessed in the browser contains some query string like <code>dodebuglog=1</code>. This is to allow a more isolated debug log file. Otherwise other requests (like calls to the <code>load.php</code> entrypoint for CSS and JS content) may also add into this file, which makes analysis more difficult.

==== Log channels ====

== Client side debugging ==
Many errors occur only on the client and server side debugging will not help. In such cases the webbrowser can be used to retrieve more information.

=== Browser development tools ===
Most modern browsers have sophisticated development tools. Usually they can be accessed by pressing the <code>F12</code> key on the keyboard.

==== JavaScript console ====
When some interface element (button, dialog, ...) does not behave like it should, it is usually worth checking the browsers JavaScript console.

{{Textbox|boxtype=tip|header=Nothing listed?|text=Sometimes it may be required to re-do the action that lead to the error with ''open console'' rather than opening it later.}}

'''Example:'''
[[File:How_to_debug_JS_console_01.png]]

[[File:How_to_debug_JS_console_02.png]]

==== Network panel ====

[[File:How_to_debug_Network_panel_01.png]]

[[File:How_to_debug_Network_panel_02.png]]

[[File:How_to_debug_Network_panel_03.png]]

How to debug

2023-12-13T10:07:23Z

Rvogel:

==Help others to help you==
Sometimes things go wrong. In many cases the user is then confronted with cryptic or no error messages at all. This page provides help about getting more information about what exactly went wrong, so it can be fixed quickly. This is especially important when asking for help on locations like [https://community.bluespice.com community.bluespice.com].

Additional information can also be found at [[mediawikiwiki:Manual:How_to_debug|"Manual:How to debug" on MediaWiki.org]].

{{Textbox|boxtype=warning|header=Check for sensitive information|text=Most of the techniques described here will output very detailed information about the error, but also about the system and the context. The output may contain sensitive information like usernames, passwords, pathes, access-keys and many more. Before posting any information retrieved by this kind of debugging on a public location (like [https://community.bluespice.com community.bluespice.com]), make sure to redact all potential sensitive information!|icon=yes}}

== Generic information ==
In general it is a good idea to provide additional context information about the error. Usually this information is easily to access/gather by the one who reports an error and very valueable to anyone trying to help.

Such information can be
* Browser used (Firefox, Chrome, Edge, ...), ideally with the version
* URLs (which page the error occurs on, additional parameters that may play into the error)
* User permission level or role (admin, reader, editor, reviewer, ...)

Again: Be careful if the shared information contains sensible data and redact it if required.

== Server side debugging ==
There are various ways to get more information about errors by changing some configuration on the server side.

=== Wiki application ===

==== Enable detailed error reporting ====
Within you <code>LocalSettings.php</code> file, please add the following lines:<syntaxhighlight lang="php">
$GLOBALS['wgShowSQLErrors'] = true;
$GLOBALS['wgDebugDumpSql'] = true;
$GLOBALS['wgShowExceptionDetails'] = true;
$GLOBALS['wgShowDBErrorBacktrace'] = true;

</syntaxhighlight>This will turn error messages like <code>internal_api_error_DBQueryError</code> into a more detailed stack of program calls, including database queries and responses.

==== General debug log ====
Sometimes it can be useful to see all debugging information the application produces. To enable this general debug log please add the following lines within you <code>LocalSettings.php</code> file:<syntaxhighlight lang="php">
if ( isset( $_GET['dodebuglog'] ) ) {
$GLOBALS['wgDebugLogFile'] = "$IP/cache/debug.log";
}

</syntaxhighlight>Be aware that this configuration is set conditionally. It will only be used if the URL accessed in the browser contains some query string like <code>dodebuglog=1</code>. This is to allow a more isolated debug log file. Otherwise other requests (like calls to the <code>load.php</code> entrypoint for CSS and JS content) may also add into this file, which makes analysis more difficult.

==== Log channels ====

== Client side debugging ==
Many errors occur only on the client and server side debugging will not help. In such cases the webbrowser can be used to retrieve more information.

=== Browser development tools ===
Most modern browsers have sophisticated development tools. Usually they can be accessed by pressing the <code>F12</code> key on the keyboard.

==== JavaScript console ====
When some interface element (button, dialog, ...) does not behave like it should, it is usually worth checking the browsers JavaScript console.

{{Textbox|boxtype=info|text=Sometimes it may be required to re-do the action that lead to the error with ''open console'' rather than opening it later.}}

'''Example:'''
[[File:How_to_debug_JS_console_01.png]]

[[File:How_to_debug_JS_console_02.png]]

==== Network panel ====

[[File:How_to_debug_Network_panel_01.png]]

[[File:How_to_debug_Network_panel_02.png]]

[[File:How_to_debug_Network_panel_03.png]]

File:How to debug Network panel 03.png

2023-12-13T09:55:38Z

Rvogel:

File:How to debug Network panel 02.png

2023-12-13T09:55:11Z

Rvogel:

File:How to debug Network panel 01.png

2023-12-13T09:54:50Z

Rvogel:

File:How to debug JS console 02.png

2023-12-13T09:54:10Z

Rvogel:

File:How to debug JS console 01.png

2023-12-13T09:53:43Z

Rvogel:

How to debug

2023-12-13T09:53:17Z

Rvogel:

Sometimes things go wrong. In many cases the user is then confronted with cryptic or no error messages at all. This page provides help about getting more information about what exactly went wrong, so it can be fixed quickly. This is especially important when asking for help on locations like [https://community.bluespice.com community.bluespice.com].

Additional information can also be found at [[mediawikiwiki:Manual:How_to_debug|"Manual:How to debug" on MediaWiki.org]].{{Textbox|boxtype=warning|header=Check for sensitive information|text=Most of the techniques described here will output very detailed information about the error, but also about the system and the context. The output may contain sensitive information like usernames, passwords, pathes, access-keys and many more. Before posting any information retrieved by this kind of debugging on a public location (like [https://community.bluespice.com community.bluespice.com]), make sure to redact all potential sensitive information!|icon=yes}}

== Server side debugging ==
There are various ways to get more information about errors by changing some configuration on the server side.

=== Wiki application ===

==== Enable detailed error reporting ====
Within you <code>LocalSettings.php</code> file, please add the following lines:<syntaxhighlight lang="php">
$GLOBALS['wgShowSQLErrors'] = true;
$GLOBALS['wgDebugDumpSql'] = true;
$GLOBALS['wgShowExceptionDetails'] = true;
$GLOBALS['wgShowDBErrorBacktrace'] = true;

</syntaxhighlight>This will turn error messages like <code>internal_api_error_DBQueryError</code> into a more detailed stack of program calls, including database queries and responses.

==== General debug log ====
Sometimes it can be useful to see all debugging information the application produces. To enable this general debug log please add the following lines within you <code>LocalSettings.php</code> file:<syntaxhighlight lang="php">
if ( isset( $_GET['dodebuglog'] ) ) {
$GLOBALS['wgDebugLogFile'] = "$IP/cache/debug.log";
}

</syntaxhighlight>Be aware that this configuration is set conditionally. It will only be used if the URL accessed in the browser contains some query string like <code>dodebuglog=1</code>. This is to allow a more isolated debug log file. Otherwise other requests (like calls to the <code>load.php</code> entrypoint for CSS and JS content) may also add into this file, which makes analysis more difficult.

==== Log channels ====

== Client side debugging ==
Many errors occur only on the client and server side debugging will not help. In such cases the webbrowser can be used to retrieve more information.

=== Browser development tools ===
Most modern browsers have sophisticated development tools. Usually they can be accessed by pressing the <code>F12</code> key on the keyboard.

==== JavaScript console ====

[[File:How_to_debug_JS_console_01.png]]

[[File:How_to_debug_JS_console_02.png]]

==== Network panel ====

[[File:How_to_debug_Network_panel_01.png]]

[[File:How_to_debug_Network_panel_02.png]]

[[File:How_to_debug_Network_panel_03.png]]

How to debug

2023-12-04T09:52:28Z

Rvogel:

How to debug

2023-12-04T09:33:57Z

Rvogel:

How to debug

2023-12-04T09:17:17Z

Rvogel: Created page with "== Server side debugging == === Wiki application === ==== General debug log ==== ==== Log channels ==== == Client side debugging == === Browser development tools === ==== JavaScript console ==== ==== Network panel ===="

== Server side debugging ==

=== Wiki application ===

==== General debug log ====

==== Log channels ====

== Client side debugging ==

=== Browser development tools ===

==== JavaScript console ====

==== Network panel ====

Debugging

2023-12-04T09:15:00Z

Rvogel: Redirected page to How to debug

#REDIRECT [[How to debug]]

Security:Security Advisories/BSSA-2023-02

2023-10-30T10:56:55Z

Rvogel:

{{Featurepage|featured=true|featuredesc=Current Security Advisory: BSSA-2023-01|featurestart=07/26/2023}}
{| class="wikitable"
|+
!
!
|-
|Date
|2023-10-30
|-
|Severity
|Low
|-
|Affected
|
* BlueSpiceAvatars
|-
|Fixed in
|
* BlueSpiceAvatars 4.3.3
* BlueSpiceAvatars 3.2.10.1
|-
|CVE
|[https://www.cve.org/cverecord?id=CVE-2023-42431 CVE-2023-42431]
|}

== Problem ==

When setting the avatar profile image, one can cause an XSS attack by inserting a modified URL in the dialog. The issue only occurs in the dialog itself and only in the context of the user that applied the change.
== Solution ==
* BlueSpice 4: Update to version 4.3.3
* BlueSpice 3: Update Extension:BlueSpiceAvatars version [https://github.com/wikimedia/mediawiki-extensions-BlueSpiceAvatars/tree/3.2.10.1 3.2.10.1]

== Acknowledgements ==
Special thanks to the security team of an undisclosed customer.

Security:Security Advisories/BSSA-2023-02

2023-10-30T10:53:49Z

Rvogel:

{{Featurepage|featured=true|featuredesc=Current Security Advisory: BSSA-2023-01|featurestart=07/26/2023}}
{| class="wikitable"
|+
!
!
|-
|Date
|2023-10-30
|-
|Severity
|Low
|-
|Affected
|
* BlueSpiceAvatars
|-
|Fixed in
|
* BlueSpiceAvatars 4.3.3
* BlueSpiceAvatars 3.2.10.1
|-
|CVE
|[https://www.cve.org/cverecord?id=CVE-2023-42431 CVE-2023-42431]
|}

== Problem ==

== Solution ==
* BlueSpice 4: Update to version 4.3.3
* BlueSpice 3: Update Extension:BlueSpiceAvatars version [https://github.com/wikimedia/mediawiki-extensions-BlueSpiceAvatars/tree/3.2.10.1 3.2.10.1]

== Resources ==
None

== Acknowledgements ==
Special thanks to the security team of an undisclosed customer.

Security:Security Advisories/BSSA-2023-02

2023-10-30T10:53:17Z

Rvogel:

{{Featurepage|featured=true|featuredesc=Current Security Advisory: BSSA-2023-01|featurestart=07/26/2023}}
{| class="wikitable"
|+
!
!
|-
|Date
|2023-10-30
|-
|Severity
|Low
|-
|Affected
|
* BlueSpiceAvatars
|-
|Fixed in
|
* BlueSpiceAvatars 4.3.3
* BlueSpiceAvatars 3.2.10.1
|-
|CVE
|[https://www.cve.org/cverecord?id=CVE-2023-42431 CVE-2023-42431]
|}

== Problem ==

== Solution ==
* BlueSpice 4: Update to version 4.3.3
* BlueSpice 3: Update Extension:BlueSpiceAvatars version [https://github.com/wikimedia/mediawiki-extensions-BlueSpiceAvatars/tree/3.2.10.1 3.2.10.1]

== Resources ==
None

== Acknowledgements ==
Found during an internal security audit.

Security:Security Advisories/BSSA-2023-02

2023-10-30T10:49:31Z

Rvogel: Created page with "{{Featurepage|featured=true|featuredesc=Current Security Advisory: BSSA-2023-01|featurestart=07/26/2023}} {| class="wikitable" |+ ! ! |- |Date |2023-07-25 |- |Severity |Medium |- |Affected | * BlueSpice Infrastructure: Ghostscript |- |Fixed in | * Ghostscript 9.53.3 and 10.01.2 |- |CVE |[https://www.cve.org/CVERecord?id=CVE-2023-36664 CVE-2023-36664] |} == Problem == A bug in ghostscript can be exploited to run arbitrary code on the host machine using prepared PDF docum..."

{{Featurepage|featured=true|featuredesc=Current Security Advisory: BSSA-2023-01|featurestart=07/26/2023}}
{| class="wikitable"
|+
!
!
|-
|Date
|2023-07-25
|-
|Severity
|Medium
|-
|Affected
|
* BlueSpice Infrastructure: Ghostscript
|-
|Fixed in
|
* Ghostscript 9.53.3 and 10.01.2
|-
|CVE
|[https://www.cve.org/CVERecord?id=CVE-2023-36664 CVE-2023-36664]
|}

== Problem ==
A bug in ghostscript can be exploited to run arbitrary code on the host machine using prepared PDF document. In BlueSpice, when a) PDFHandler is enabled and b) a PDF document is uploaded, a preview image is being generated using ghostscript. If an attacker uploads a prepared PDF, they can execute code on the server.

PDFHandler is not enabled by default, but many installations have set it active.

== Solution ==
Upgrade Ghostscript to a fixed version and ensure the updated version is used by adding <code>$wgPdfProcessor = '/usr/bin/gs';</code> to <code>LocalSettings.php</code>.

If upgrade of Ghostscript is not possible, disable the extension PDFHandler. This, however, removes the ability for BlueSpice to render PDF preview images.

== Resources ==
* For Debian: https://www.debian.org/security/2023/dsa-5446
* For Debian10: [https://security-tracker.debian.org/tracker/source-package/ghostscript Information on source package ghostscript (debian.org)]
* For Ubuntu: https://launchpad.net/ubuntu/+source/ghostscript/9.50~dfsg-5ubuntu4.8

== Acknowledgements ==
Found during an internal security audit.

Archive:Setup:Installation Guide/Optimization/Cronjobs

2023-06-14T12:37:47Z

Rvogel: Add

{{DISPLAYTITLE:Cronjobs}}
__TOC__

This document describes cronjobs an related configurations, which should be set for your BlueSpice (depending on the used version).

==Tips for this Document==
{{Setup-document-note}}

{{Messagebox|boxtype=Hinweis|Note text=It is recommended to specify the complete path to php.exe under Windows. For more information, see the [[Setup:Installation_Guide/Services_and_system_configuration/Environment_Variables|environment variables]] document.}}

==runJobs.php==
Time-consuming processes will be moved to a processing queue in the background of BlueSpice. With every page impression, a part of these will be processed. For the case that there are lots of processes in the queue and there are relatively litte page impressions, the tasks will not be processed promptly.

For this reason, the queue should be processed regularly by cronjob.

Create a cronjob (Windows: "Scheduled task") depending on your operating system. The command to execute is:

php <code><installpath-bluespice></code>/maintenance/runJobs.php ''(Linux)''
php.exe <code><installpath-bluespice></code>\maintenance\runJobs.php ''(Windows)''

Execute the cronjob every '''10 minutes'''.

==processRunner.php==
Certain tasks require server resources that can not be provided in the regular context of a webrequest. They will be moved to a special processing queue in the background of BlueSpice.

Create a cronjob (Windows: "Scheduled task") depending on your operating system. The command to execute is:

php <code><installpath-bluespice></code>/vendor/mwstake/mediawiki-component-processmanager/maintenance/processRunner.php <code><installpath-bluespice></code>/maintenance/Maintenance.php --max-processes=100 --wait ''(Linux)''
php.exe <code><installpath-bluespice></code>\vendor\mwstake\mediawiki-component-processmanager\maintenance\processRunner.php <code><installpath-bluespice></code>\maintenance\Maintenance.php --max-processes=100 --wait ''(Windows)''

Execute the cronjob every '''minute'''.

[[en:{{FULLPAGENAME}}]]
[[de:Setup:Installationsanleitung/Optimierungen/Cronjobs]]

Setup:Release Notes/erm/latest

2023-01-23T15:22:51Z

Rvogel:

== BlueSpice ERM 4.2 ==

=== BlueSpice ERM 4.2.4-23.01.23.1 ===
This is an unscheduled release of the BlueSpice ERM 4.2 branch.

The <code>bluespice/bluespice</code> container does now support "HTTP/2".

==== Changes since BlueSpice ERM 4.2.4 ====

* CHANGE: PermissionManager - Configure public access for some namespace (#31083)
* FIX: BSP overload issues (#3098; easysoftware#569052)

Setup:Release Notes/erm/latest

2023-01-23T15:22:34Z

Rvogel: Created page with "== BlueSpice ERM 4.2 == === BlueSpice ERM 4.2.4-23.01.23.1 === This is an unscheduled release of the BlueSpice ERM 4.2 branch. The <code>bluespice/bluespice</code> container..."

Setup:Installation Guide

2022-12-28T09:40:51Z

Rvogel:

{{Messagebox|boxtype=note|icon=|Note text=For general questions regarding the installation, maintenance, and usage of BlueSpice free, go to our [https://sourceforge.net/p/bluespice/discussion/1249668/ SourceForge help forum] .|bgcolor=}}
==Introduction==

We are happy that you decided to install the latest version of BlueSpice 4.

Please follow these steps:

# [[Setup:Installation Guide#Check the system requirements|Check the system requirements]]
# [[Setup:Installation Guide#Prepare the server environment|Prepare the server environment]]
# [[Setup:Installation Guide#Install the BlueSpice application|Install the BlueSpice application]]
# [[Setup:Installation Guide#Optimizing the configuration|Optimize the configuration]]

==Check the system requirements==

*[[Setup:System requirements|System requirements]]

== Prepare the server environment ==

* [[Setup:Installation Guide/System Preparation/Linux|Linux server environment]]
* [[Setup:Installation Guide/System Preparation/Windows|Windows server environment]]

==Install the BlueSpice application==
Please select which installation type you need:

*[[Setup:Installation Guide/With Installer|Full BlueSpice installation]]
**Extended Functions: [[Setup:Installation Guide/Advanced/VisualEditor Configuration|VisualEditor]], [[Setup:Installation Guide/Advanced/ExtendedSearch Configuration|ExtendedSearch]]
*[[Setup:Installation Guide/Installation BlueSpice WikiFarm|BlueSpice WikiFarm installation]]
*[[Setup:Installation Guide/Docker/Docker Hub|Docker image]]

==Upgrade and patch updates==

*[[Setup:Installation Guide/Patch Update|Patch update from BlueSpice 4.2.x to a higher version 4.2.x+n]]
*[[Setup:Installation Guide/Upgrade free to pro|Upgrade from BlueSpice free 3.2.x to BlueSpice pro 4.2.x]]
*Upgrade from Bluespice free 4.2.x to pro 4.2.x

==Migration from MediaWiki to BlueSpice==

*[[Setup:Installation Guide/Migration from MediaWiki to BlueSpice|Migration from MediaWiki to BlueSpice]]

==Optimize the configuration==
If you don't need to set up a server environment "from scratch", you can directly refer to the setup instructions for individual system components. Just make sure that you really have everything configured as needed:

===Webservices for Apache Tomcat===

{{Special:PrefixIndex/Setup:Installation Guide/Webservices/ |hideredirects=1 |stripprefix=1}}

===Additional settings and optimizations===

*[[Setup:Installation Guide/Optimization/Caching|Caching]]
*[[Setup:Installation Guide/Optimization/Cronjobs|Cronjobs]]
*[[Setup:Installation Guide/Optimization/Time Zone|Time Zone]]

===Security settings===

*[[Setup:Installation Guide/Security Settings/File System Permissions|File System Permissions]]
*[[Setup:Installation Guide/Security Settings/Deactivating installcheck file|Deactivating installcheck file]]
*[[Setup:Installation Guide/Security Settings/Save Directories|Save Directories]]<br />

===Compendium===

{{Special:PrefixIndex/Setup:Installation Guide/Advanced/ |hideredirects=1 |stripprefix=1}}

[[en:{{FULLPAGENAME}}]]
[[de:Setup:Installationsanleitung]]
[[Category:Setup]]

Setup:System requirements

2022-06-23T06:44:01Z

Rvogel:

{{DISPLAYTITLE:System Requirements}}
__NOTOC__

For a trouble-free installation of the current version BlueSpice 3.4, we recommend the following system requirements. The application BlueSpice is tested by Hallo Welt! for Windows and Linux.

==Browser==

*Microsoft Edge
*Google Chrome
*Firefox

==Server Environment==
{{Messagebox|boxtype=warning|icon=yes|Note text=PHP version 8 is currently not supported!|bgcolor=}}
*Operating system: Microsoft Windows Server >= 2016 or Linux (common distributions)
*Webserver: <span style="color: rgb(68, 68, 68)">Apache 2.4.x, IIS >= 10 ''or'' nginx 1.x</span> (''nginx'' ''not possible in WikiFarm'')
*PHP 7.4.x starting at 7.4.3
*MySQL: >= 5.6 oder MariaDB >= 10.3
*Main memory: 16 GB (minimal 8 GB)
*Available hard drive space: > 20GB (depends on the planned storage of data)
*CPU: 8 (minimal 4) cores
*Apache Tomcat >= 9 oder Jetty >= 9 (for PDF export and LaTexRenderer)
*ElasticSearch 6.8 with plugin “ingest-attachment”
*OpenJDK >= 10
*NodeJS 16
[[en:{{FULLPAGENAME}}]]
[[de:Setup:Systemanforderungen]]
[[Category:Setup]]

Manual:Extension/FlaggedRevs/Server script

2022-04-22T07:51:47Z

Rvogel:

== Mass approval using a script ==
The script <code>extensions/BlueSpiceFlaggedRevsConnector/maintenance/BSBatchReview.php</code> can be used to approve all drafts in the wiki. This affects both first drafts, drafts of pages with already approved versions and drafts for embedded resources.

===Options===
{| class="wikitable" style="width:100%;"
|+
!Option
!Description
|-
|<code>--username</code>
|Required. The user name of the existing user to use as the "reviewer"
|-
|<code>--pageids</code>
|Flat file containing page ids seperated by line break
|-
|<code>--pages</code>
|Flat file containing page names seperated by line break
|-
|<code>--namespace</code>
|Id of namespace to flag entirely
|-
|<code>--flag</code>
|Which flags to apply? Possible values: "quality", "pristine", "checked". Default is "quality".
|}
{{Messagebox|boxtype=note|icon=|Note text=The options <code>--pageids</code>, <code>--pages</code> and <code>--namespace</code> are mutual exclusive required. One - and only one - of them ''must'' be provided.}}

=== Examples ===

==== Whole namespace ====
<syntaxhighlight lang="bash">
php extensions/BlueSpiceflaggedRevsConnector/maintenance/BSBatchReview.php --username WikiSysop --namespace 3000
</syntaxhighlight>

==== List of page ids ====
Such a list can be created from a database query.

File <code>/tmp/page-ids-to-review.txt</code>:
23
42
1337

Command line:
<syntaxhighlight lang="bash">
php extensions/BlueSpiceflaggedRevsConnector/maintenance/BSBatchReview.php --username WikiSysop --pageids /tmp/page-ids-to-review.txt
</syntaxhighlight>

==== List of page names ====
Such a list can be created using a [[SMW queries|SMW query]].
File <code>/tmp/page-titles-to-review.txt</code>:
Some/Page
Other_page
Help:Some_help_page

Command line:
<syntaxhighlight lang="bash">
php extensions/BlueSpiceflaggedRevsConnector/maintenance/BSBatchReview.php --username WikiSysop --pages /tmp/page-titles-to-review.txt
</syntaxhighlight>

Manual:Extension/FlaggedRevs/Server script

2022-04-22T07:51:10Z

Rvogel:

== Mass approval using a script ==
The script <code>extensions/BlueSpiceFlaggedRevsConnector/maintenance/BSBatchReview.php</code> can be used to approve all drafts in the wiki. This affects both first drafts, drafts of pages with already approved versions and drafts for embedded resources.

===Options===
{| class="wikitable" style="width:100%;"
|+
!Option
!Description
|-
|<code>--username</code>
|Required. The user name of the existing user to use as the "reviewer"
|-
|<code>--pageids</code>
|Flat file containing page ids seperated by line break
|-
|<code>--pages</code>
|Flat file containing page names seperated by line break
|-
|<code>--namespace</code>
|Id of namespace to flag entirely
|-
|<code>--flag</code>
|Which flags to apply? Possible values: "quality", "pristine", "checked". Default is "quality".
|}
{{Messagebox|boxtype=note|icon=|Note text=The options <code>--pageids</code>, <code>--pages</code> and <code>--namespace</code> are mutual exclusive required. One - and only one - of them ''must'' be provided.}}

=== Examples ===

==== Whole namespace ====
<syntaxhighlight lang="bash">
php extensions/BlueSpiceflaggedRevsConnector/maintenance/BSBatchReview.php --username WikiSysop --namespace 3000
</syntaxhighlight>

==== List of page ids ====
Such a list can be created from a database query.

File <code>/tmp/page-ids-to-review.txt</code>;
23
42
1337

Command line:
<syntaxhighlight lang="bash">
php extensions/BlueSpiceflaggedRevsConnector/maintenance/BSBatchReview.php --username WikiSysop --pageids /tmp/page-ids-to-review.txt
</syntaxhighlight>

==== List of page names ====
Such a list can be created using a [[SMW queries|SMW query]].
File <code>/tmp/page-titles-to-review.txt</code>;
Some/Page
Other_page
Help:Some_help_page

Command line:
<syntaxhighlight lang="bash">
php extensions/BlueSpiceflaggedRevsConnector/maintenance/BSBatchReview.php --username WikiSysop --pages /tmp/page-titles-to-review.txt
</syntaxhighlight>

Manual:Extension/FlaggedRevs/Server script

2022-04-22T07:45:51Z

Rvogel:

== Mass approval using a script ==
The script <code>extensions/BlueSpiceFlaggedRevsConnector/maintenance/BSBatchReview.php</code> can be used to approve all drafts in the wiki. This affects both first drafts, drafts of pages with already approved versions and drafts for embedded resources.

===Options===
{| class="wikitable" style="width:100%;"
|+
!Option
!Description
|-
|<code>--username</code>
|Required. The user name of the existing user to use as the "reviewer"
|-
|<code>--pageids</code>
|Flat file containing page ids seperated by line break
|-
|<code>--pages</code>
|Flat file containing page names seperated by line break
|-
|<code>--namespace</code>
|Id of namespace to flag entirely
|-
|<code>--flag</code>
|Which flags to apply? Possible values: "quality", "pristine", "checked". Default is "quality".
|}
{{Messagebox|boxtype=note|icon=|Note text=The options <code>--pageids</code>, <code>--pages</code> and <code>--namespace</code> are mutual exclusive required. One - and only one - of them ''must'' be provided.}}

The pages are released per namespace and by a user with admin rights:
<syntaxhighlight lang="php">
php extensions/BlueSpiceflaggedRevsConnector/maintenance/BSBatchReview.php --username WikiSysop --namespace 3000
</syntaxhighlight>
If there is a large number of affected namespaces, a list of page titles or page IDs can be specified as a txt file. If necessary, this list can be created using a [[SMW queries|SMW query]].

User:Rvogel

2022-04-21T07:08:42Z

Rvogel: create user page