Re: post-CVE-2011-4317 (rewrite proxy unintended interpolation) rewrite PR's

On Wed, Jun 06, 2012 at 09:08:02PM -0400, Jeff Trawick wrote: Here are some valid requests which fail the 4317 checks: CONNECT foo.example.com[:port] GET http://foo.example.com GET proxy:http://foo.example.com/(rewriting something which was already proxied internally) I am leaning

Re: post-CVE-2011-4317 (rewrite proxy unintended interpolation) rewrite PR's

On Thu, Jun 7, 2012 at 11:55 AM, Joe Orton jor...@redhat.com wrote: On Wed, Jun 06, 2012 at 09:08:02PM -0400, Jeff Trawick wrote: Here are some valid requests which fail the 4317 checks: CONNECT foo.example.com[:port] GET http://foo.example.com GET proxy:http://foo.example.com/    (rewriting

Re: post-CVE-2011-4317 (rewrite proxy unintended interpolation) rewrite PR's

On Thu, Jun 7, 2012 at 1:14 PM, Jeff Trawick traw...@gmail.com wrote: On Thu, Jun 7, 2012 at 11:55 AM, Joe Orton jor...@redhat.com wrote: On Wed, Jun 06, 2012 at 09:08:02PM -0400, Jeff Trawick wrote: Here are some valid requests which fail the 4317 checks: CONNECT foo.example.com[:port] GET

Re: [PATCH] mod_log_forensic security considerations

On Thu, Jun 7, 2012 at 2:18 PM, William A. Rowe Jr. wr...@rowe-clan.net wrote: On 6/6/2012 2:46 PM, Jeff Trawick wrote: On Tue, May 29, 2012 at 1:36 PM, Daniel Shahaf d...@daniel.shahaf.name wrote: Perhaps it would be a useful feature to allow excluding those headers from being logged, too.

Re: [PATCH] mod_log_forensic security considerations

On 6/7/2012 1:56 PM, Jeff Trawick wrote: On Thu, Jun 7, 2012 at 2:18 PM, William A. Rowe Jr. wr...@rowe-clan.net wrote: On 6/6/2012 2:46 PM, Jeff Trawick wrote: On Tue, May 29, 2012 at 1:36 PM, Daniel Shahaf d...@daniel.shahaf.name wrote: Perhaps it would be a useful feature to allow

Re: [PATCH] mod_log_forensic security considerations

On Thursday 07 June 2012, Eric Covener wrote: On Wed, Jun 6, 2012 at 9:15 PM, Jeff Trawick traw...@gmail.com wrote: On Wed, Jun 6, 2012 at 3:49 PM, Joe Schaefer joe_schae...@yahoo.com wrote: Session cookies sometimes pose a security risk as well. Yeah. That could be any cookie though

Re: [PATCH] mod_log_forensic security considerations

On Thu, Jun 7, 2012 at 4:11 PM, Stefan Fritsch s...@sfritsch.de wrote: On Thursday 07 June 2012, Eric Covener wrote: On Wed, Jun 6, 2012 at 9:15 PM, Jeff Trawick traw...@gmail.com wrote: On Wed, Jun 6, 2012 at 3:49 PM, Joe Schaefer joe_schae...@yahoo.com wrote: Session cookies sometimes

Re: [PATCH] mod_log_forensic security considerations

On Jun 7, 2012, at 3:11 PM, Stefan Fritsch wrote: I share Williams concern that this makes mod_forensic potentially less useful. Maybe making the forensic log mode 600 by default would be a better idea? I have to agree with Jeff. I would rather have a more difficult or even impossible

Re: [PATCH] mod_log_forensic security considerations

On 6/7/2012 3:11 PM, Stefan Fritsch wrote: On Thursday 07 June 2012, Eric Covener wrote: On Wed, Jun 6, 2012 at 9:15 PM, Jeff Trawick traw...@gmail.com wrote: On Wed, Jun 6, 2012 at 3:49 PM, Joe Schaefer joe_schae...@yahoo.com wrote: Session cookies sometimes pose a security risk as well.