httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Daniel Ruggeri <DRugg...@primary.net>
Subject Re: [PATCH] mod_log_forensic security considerations
Date Thu, 07 Jun 2012 22:16:26 GMT
On 6/7/2012 3:11 PM, Stefan Fritsch wrote:
> On Thursday 07 June 2012, Eric Covener wrote:
>> On Wed, Jun 6, 2012 at 9:15 PM, Jeff Trawick <trawick@gmail.com> 
> wrote:
>>> On Wed, Jun 6, 2012 at 3:49 PM, Joe Schaefer 
> <joe_schaefer@yahoo.com> wrote:
>>>> Session cookies sometimes pose a security risk as well.
>>> Yeah.  That could be any cookie though although there are a few
>>> very common defaults :(  My guess is that cookie values are more
>>> useful for debugging crashes than Authorization headers, but
>>> that it should still be opt-in.
>>>
>>> Thoughts, anyone?
>> +1 to separate knob to opt-in to Cookie logging.
> I share Williams concern that this makes mod_forensic potentially less 
> useful.
>
> Maybe making the forensic log mode 600 by default would be a better 
> idea?

Agreed as well. This module isn't enabled by default and is most likely
to be enabled by a user that knows what they are trying to accomplish.
To me, a clear and concise security warning in the documentation should
be all that is needed.

IMO, having unadulterated logging capability is what makes
mod_dumpio/mod_log_forensic some of the most useful modules for
troubleshooting in a proxy/crashing scenario (respectively).

-- 
Daniel Ruggeri


Mime
View raw message