httpd-docs mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Daniel Shahaf <...@daniel.shahaf.name>
Subject [PATCH] mod_log_forensic security considerations
Date Tue, 29 May 2012 17:36:42 GMT
https://blogs.apache.org/infra/entry/apache_org_incident_report_for

Infra got bit by mod_log_forensic logs including Authorization headers
and being world-readable, so in an effort to save someone else from
repeating this mistake how about adding it to the "Security
considerations" section of the documentation:

[[[
Index: docs/manual/mod/mod_log_forensic.xml
===================================================================
--- docs/manual/mod/mod_log_forensic.xml	(revision 1342688)
+++ docs/manual/mod/mod_log_forensic.xml	(working copy)
@@ -93,6 +93,10 @@
     document for details on why your security could be compromised
     if the directory where logfiles are stored is writable by
     anyone other than the user that starts the server.</p>
+    <p>The logfiles may contain sensitive data such as the contents of 
+    <code>Authorization:</code> headers (which can contain passwords), so
+    they should not be readable by anyone except the user that starts the
+    server.</p>
 </section>
 
 <directivesynopsis>
]]]

Perhaps it would be a useful feature to allow excluding those headers
from being logged, too.

---------------------------------------------------------------------
To unsubscribe, e-mail: docs-unsubscribe@httpd.apache.org
For additional commands, e-mail: docs-help@httpd.apache.org


Mime
View raw message