httpd-docs mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Joe Schaefer <joe_schae...@yahoo.com>
Subject Re: [PATCH] mod_log_forensic security considerations
Date Wed, 06 Jun 2012 19:49:13 GMT
Session cookies sometimes pose a security risk as well.



----- Original Message -----
> From: Jeff Trawick <trawick@gmail.com>
> To: docs@httpd.apache.org; dev@httpd.apache.org
> Cc: 
> Sent: Wednesday, June 6, 2012 3:46 PM
> Subject: Re: [PATCH] mod_log_forensic security considerations
> 
> On Tue, May 29, 2012 at 1:36 PM, Daniel Shahaf <d.s@daniel.shahaf.name> 
> wrote:
>>  https://blogs.apache.org/infra/entry/apache_org_incident_report_for
>> 
>>  Infra got bit by mod_log_forensic logs including Authorization headers
>>  and being world-readable, so in an effort to save someone else from
>>  repeating this mistake how about adding it to the "Security
>>  considerations" section of the documentation:
>> 
>>  [[[
>>  Index: docs/manual/mod/mod_log_forensic.xml
>>  ===================================================================
>>  --- docs/manual/mod/mod_log_forensic.xml        (revision 1342688)
>>  +++ docs/manual/mod/mod_log_forensic.xml        (working copy)
>>  @@ -93,6 +93,10 @@
>>      document for details on why your security could be compromised
>>      if the directory where logfiles are stored is writable by
>>      anyone other than the user that starts the server.</p>
>>  +    <p>The logfiles may contain sensitive data such as the contents 
> of
>>  +    <code>Authorization:</code> headers (which can contain 
> passwords), so
>>  +    they should not be readable by anyone except the user that starts the
>>  +    server.</p>
>>   </section>
>> 
>>   <directivesynopsis>
>>  ]]]
>> 
>>  Perhaps it would be a useful feature to allow excluding those headers
>>  from being logged, too.
> 
> IMO they shouldn't be logged by default (if at all).
> Proxy-Authorization also needs to be handled.  (Anything else?  My
> search query foo is particularly bad today.)
> 
> Attached is a potential code fix...  I guess a directive could be
> added to allow them to be logged, but when would that be needed?  (A.
> When the request crashes due to the exact value of one of these
> headers and the module author needs it for debugging.)
> 
> -- 
> Born in Roswell... married an alien...
> http://emptyhammock.com/
> 
> 
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: docs-unsubscribe@httpd.apache.org
> For additional commands, e-mail: docs-help@httpd.apache.org
> 

---------------------------------------------------------------------
To unsubscribe, e-mail: docs-unsubscribe@httpd.apache.org
For additional commands, e-mail: docs-help@httpd.apache.org


Mime
View raw message