httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Philip A. Prindeville" <phil...@enteka.com>
Subject Re: proxy logging ftp password
Date Sun, 07 Sep 1997 08:10:34 GMT
	Date: Sat, 6 Sep 1997 21:47:05 -0600 (MDT)
	From: Marc Slemko <marcs@worldgate.com>
	To: Apache - BYOC <new-httpd@apache.org>
	Subject: proxy logging ftp password

	ISTR a discussion about this before, but not what the conclusion was...

	ftp://user:password@host/path/

	logs your password in the Apache log.  That is bad, no?

	Should we be overwriting the password in r->the_request with xxx?

In my opinion, for what it is worth, yes.  Since the log files are
owned by the userid of the apache user, they can't really be protected.
So, they would be easy to get to if the system were compromised or even
if (god forbid) a Web-hosting company also let users have shell accounts.

-Philip

Mime
View raw message