httpd-cvs mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From n.@apache.org
Subject svn commit: r1050700 - /httpd/httpd/trunk/docs/manual/mod/mod_authz_core.xml
Date Sat, 18 Dec 2010 19:56:55 GMT
Author: nd
Date: Sat Dec 18 19:56:54 2010
New Revision: 1050700

URL: http://svn.apache.org/viewvc?rev=1050700&view=rev
Log:
add security warning about the new AuthzSendForbiddenOnFailure directive.

Modified:
    httpd/httpd/trunk/docs/manual/mod/mod_authz_core.xml

Modified: httpd/httpd/trunk/docs/manual/mod/mod_authz_core.xml
URL: http://svn.apache.org/viewvc/httpd/httpd/trunk/docs/manual/mod/mod_authz_core.xml?rev=1050700&r1=1050699&r2=1050700&view=diff
==============================================================================
--- httpd/httpd/trunk/docs/manual/mod/mod_authz_core.xml (original)
+++ httpd/httpd/trunk/docs/manual/mod/mod_authz_core.xml Sat Dec 18 19:56:54 2010
@@ -603,6 +603,12 @@ authentication succeeds but authorizatio
     again, which is not wanted in all situations.
     <directive>AuthzSendForbiddenOnFailure</directive> allows to change the
     response code to '403 FORBIDDEN'.</p>
+
+    <note type="warning"><title>Security Warning</title>
+    <p>Modifying the response in case of missing authorization weakens the
+    security of the password, because it reveals to a possible attacker, that
+    his guessed password was right.</p>
+    </note>
 </usage>
 </directivesynopsis>
 



Mime
View raw message