httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Alexei Kosut <>
Subject Re: security hole with ScriptLog
Date Sun, 12 Jan 1997 04:28:31 GMT
On Sun, 12 Jan 1997, Rob Hartill wrote:

> Apart from the fact that ScriptLog can dump the "Authorization" header
> into the log when authorized scripts barf, it's not too difficult to
> difficult to come up with ways to trigger Auth in other areas of the
> server to capture passwords in the clear.

ScriptLog was never designed to be run on a "working" server. It isn't
optimized to be, and has both operational and security problems if it
is. IMHO, knowing that an Authorization header was present and its
contents can be important for debugging a script.

Alexei Kosut <>      The Apache HTTP Server

View raw message