httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Jeff Trawick <>
Subject Re: [PATCH] mod_log_forensic security considerations
Date Thu, 07 Jun 2012 18:56:18 GMT
On Thu, Jun 7, 2012 at 2:18 PM, William A. Rowe Jr. <> wrote:
> On 6/6/2012 2:46 PM, Jeff Trawick wrote:
>> On Tue, May 29, 2012 at 1:36 PM, Daniel Shahaf <> wrote:
>>> Perhaps it would be a useful feature to allow excluding those headers
>>> from being logged, too.
>> IMO they shouldn't be logged by default (if at all).
>> Proxy-Authorization also needs to be handled.  (Anything else?  My
>> search query foo is particularly bad today.)
> ANY parsing which occurs within mod_log_forensic is going to open that module
> itself to suspicion and potential un-captured exploitative header values.
> My own theory; provide pipe log redirection and write a filter to do whatever
> you like to corrupt the pure data received from the client.
> Otherwise, you have other issues like proxy connect scheme://user:pass@backend/
> or session tokens in URL's or cookies to contend with.
> There is no way to make forensic logging 'safe for general consumption' and that
> is the message we have to broadcast loudly.

The list of concerns can't be fixed with with code and we need to put
more hints in the documentation.

Logging obvious passwords by default is just plain stupid though.

> A forensic logging pipe could easily kill off all matched requests before they
> were ever logged to disk, resulting in only unmatched pairs.  The parent process
> which spawned the logger shouldn't be crashing, so the logging should 'just work'.

Writing only the unmatched requests is equivalent to what you get with
mod_whatkilledus, though using a much different implementation.

Born in Roswell... married an alien...

View raw message