www-apache-bugdb mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Lyonel VINCENT <vinc...@trotek05.trotek.ec-lyon.fr>
Subject mod_proxy/668: Two problems with user:password@host URLs
Date Wed, 04 Jun 1997 10:00:02 GMT

>Number:         668
>Category:       mod_proxy
>Synopsis:       Two problems with user:password@host URLs
>Confidential:   no
>Severity:       non-critical
>Priority:       medium
>Responsible:    apache (Apache HTTP Project)
>State:          open
>Class:          sw-bug
>Submitter-Id:   apache
>Arrival-Date:   Wed Jun  4 03:00:01 1997
>Originator:     vincent@hpwww.ec-lyon.fr
>Organization:
apache
>Release:        1.2b10
>Environment:
HP-UX atropos B.10.20 A 9000/803 2006896634 two-user license
ansi C
>Description:
* The standard mod_proxy just does not understand http://user:password@host/
requests and refuses to handle them.
* the proxy module logs the sent user/password pairs in the logfile => security
problem.
>How-To-Repeat:
Just use Netscape Gold and give it a default user/password pair then publish
your document through the proxy. Netscape will send something like
  PUT http://user:password@host/document HTTP/1.0
which gets the proxy confused.
>Fix:
I have fixed the problems by modifying proxy_http.c and mod_proxy.c -- where
can I send the solution %3
>Audit-Trail:
>Unformatted:



Mime
View raw message