httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Rob Hartill <r...@imdb.com>
Subject Re: security hole with ScriptLog
Date Sun, 12 Jan 1997 13:32:19 GMT
On Sat, 11 Jan 1997, Brian Behlendorf wrote:

> > I certainly wouldn't brush the problem aside. It's a security hole with
> > very nasty consequences if abused. People testing Auth protected scripts
> > are going to leave passwords in the ScriptLog file. Security holes don't
> > get much worse that that.
> 
> Yes they do - this "attack" has to be from someone who has access to the
> ScriptLog and wishes to do damage to someone else on their server, and even
> then it's limited to forging auth.

we allow people to shoot themselves in the foot with /etc/passwd being
used by some.

> Maybe a "ScriptLogSecure" directive which prevents logging of sensitive
> information is the best way to do this.

that'd help. Calling it Secure is an invitation for someone to
prove it's not though  :-)


Mime
View raw message