[WARNING]
This document is OLD (part of TraceWatch 0.234 documentation).
If you are using latest version of TraceWatch you should not be looking
at this.
These problems are known in version and will be fixed in next release.
-
Getting error when updating ip-to-country database
This happens when you try to update using the file downloadable from ip-to-country.webhosting.info. It's 70% my fault 30% people at webhosting.info's. Their 30% part is because their newer versions of ip-to-country.csv has some inconsistencies: some rows contain 3 fields instead of 5 (like the rows for two new countries Serbia and Montenegro which have separated on May 21, 2006). My 70% part is because I should have made the script ignore such rows, this is an unforgivable mistake from my side!
Anyway, Since I've been working on version 0.3 for a long time and 0.2x versions have quite different programming environment it's very time consuming for me to get back and repackage a new 0.2x version to solve this issue. So I simply downloaded the latest version of ip-to-country.csv from webhosting.info removed those faulty rows and uploaded the corrected file to the website, you can download it from the download page (both twatch+ip2c and ip2c packages are updated).
If you need to update again in future you can do the same thing (remove the faulty rows before feeding twatch with the file), I just hope I can prepare version 0.3 before you need another ip-to-country update :) -
The PHPSESSID security issue
This is more a PHP security issue than a TraceWatch security issue. It happens only when PHP on your server is configured with session.use_trans_sid set to on.
The problem is when session.use_trans_sid is enabled in your PHP configuration and you browse TraceWatch pages on your website sometimes PHP rewrites URLs and includes your session ID in the url like this:
http://yourwebsite/twatch/latest.php?PHPSESSID=ecffa17bb5533ec0fee7d65b3518f9fd
When you click on any external link on that page, your browser sends the above url (including your session id) to the target website as HTTP_REFERER. Now the admin of the target website can use the url with your session id to login to your TraceWatch installation.
It seems disabling URL rewriting is not possible with ini_set() function so I can't release a quick fix.
what you can do is:
1- If you have access to php.ini file on your server modify it and set
session.use_only_cookies = 1
session.use_trans_sid = 0
2- make an .htaccess file in your TraceWatch folder and put these two line in it
php_value session.use_only_cookies 1
php_value session.use_trans_sid 0
3- if you can't get rid of Session ID in urls anyway, do not click on any external link on your TraceWatch report pages if you see something like PHPSESSID=ecffa17bb5533ec0fee7d65b3518f9fd in the url on your browser's status bar when you move the mouse over the link. Instead copy the link and paste it in a new browser window.
If I can't find a neat way to get rid of this issue I may stop using PHP's default session handler in TraceWatch version 0.3 which is underway.
Thanks to Michael for bringing this issue to my attention.
- After entering user/pass in install page and clicking on login you get back to login page with no message or you get these errors:
Undefined index: HTTP_HOST in...
Warning: Invalid argument supplied for foreach()...
This happens only when installing TraceWatch on PHP5 with register_long_arrays set to Off in php configuration file.
A quick fix for now is to turn register_long_arrays on in php.ini or in an .htaccess file.