httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Alexei Kosut <ako...@nueva.pvt.k12.ca.us>
Subject Re: security hole with ScriptLog
Date Sun, 12 Jan 1997 04:28:31 GMT
On Sun, 12 Jan 1997, Rob Hartill wrote:

> Apart from the fact that ScriptLog can dump the "Authorization" header
> into the log when authorized scripts barf, it's not too difficult to
> difficult to come up with ways to trigger Auth in other areas of the
> server to capture passwords in the clear.

ScriptLog was never designed to be run on a "working" server. It isn't
optimized to be, and has both operational and security problems if it
is. IMHO, knowing that an Authorization header was present and its
contents can be important for debugging a script.

-- 
________________________________________________________________________
Alexei Kosut <akosut@nueva.pvt.k12.ca.us>      The Apache HTTP Server
URL: http://www.nueva.pvt.k12.ca.us/~akosut/   http://www.apache.org/


Mime
View raw message