httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Plüm, Rüdiger, Vodafone Group <ruediger.pl...@vodafone.com>
Subject RE: [PATCH] mod_log_forensic security considerations
Date Fri, 08 Jun 2012 06:43:22 GMT


> -----Original Message-----
> From: Daniel Ruggeri > Sent: Freitag, 8. Juni 2012 00:16
> To: dev@httpd.apache.org
> Subject: Re: [PATCH] mod_log_forensic security considerations
> 
> On 6/7/2012 3:11 PM, Stefan Fritsch wrote:
> > On Thursday 07 June 2012, Eric Covener wrote:
> >> On Wed, Jun 6, 2012 at 9:15 PM, Jeff Trawick 
> > wrote:
> >>> On Wed, Jun 6, 2012 at 3:49 PM, Joe Schaefer
> > <joe_schaefer@yahoo.com> wrote:
> >>>> Session cookies sometimes pose a security risk as well.
> >>> Yeah.  That could be any cookie though although there are a few
> >>> very common defaults :(  My guess is that cookie values are more
> >>> useful for debugging crashes than Authorization headers, but
> >>> that it should still be opt-in.
> >>>
> >>> Thoughts, anyone?
> >> +1 to separate knob to opt-in to Cookie logging.
> > I share Williams concern that this makes mod_forensic potentially
> less
> > useful.
> >
> > Maybe making the forensic log mode 600 by default would be a better
> > idea?
> 
> Agreed as well. This module isn't enabled by default and is most likely
> to be enabled by a user that knows what they are trying to accomplish.
> To me, a clear and concise security warning in the documentation should
> be all that is needed.
> 
> IMO, having unadulterated logging capability is what makes
> mod_dumpio/mod_log_forensic some of the most useful modules for
> troubleshooting in a proxy/crashing scenario (respectively).

+1

Regards

Rüdiger


Mime
View raw message