httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Brian Behlendorf <br...@organic.com>
Subject Re: security hole with ScriptLog
Date Sun, 12 Jan 1997 05:58:40 GMT
On Sun, 12 Jan 1997, Rob Hartill wrote:
> On Sat, 11 Jan 1997, Brian Behlendorf wrote:
> 
> > A patch which closes stdin to the script as soon as the script starts
> > sending stdout stuff would fix this,
> 
> how ?

Ah, my mistake, I thought you were trying the false-keepalive way of capturing
passwords.  

> The script I included doesn't capture STDIN, "ScriptLog" does it for you.
> 
> As for Alexei's comment about ScriptLog not really being for live servers,
> that's all fine and well, but there's no mention of that to the unsuspecting
> users..

Yes, it is worth enhancing the docs to mention that.

> I certainly wouldn't brush the problem aside. It's a security hole with
> very nasty consequences if abused. People testing Auth protected scripts
> are going to leave passwords in the ScriptLog file. Security holes don't
> get much worse that that.

Yes they do - this "attack" has to be from someone who has access to the
ScriptLog and wishes to do damage to someone else on their server, and even
then it's limited to forging auth.  Not as bad as the cookies hole, and I can
certainly see an argument for capturing that data when doing debugging.  

Maybe a "ScriptLogSecure" directive which prevents logging of sensitive
information is the best way to do this.

	Brian

--=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=--
brian@organic.com  www.apache.org  hyperreal.com  http://www.organic.com/JOBS


Mime
View raw message