>Number: 5747 >Category: mod_log-any >Synopsis: Does not log userid/pass if brought in on URL line >Confidential: no >Severity: serious >Priority: medium >Responsible: apache >State: open >Class: sw-bug >Submitter-Id: apache >Arrival-Date: Sat Feb 12 10:40:00 PST 2000 >Closed-Date: >Last-Modified: >Originator: [EMAIL PROTECTED] >Release: 1.3.9 >Organization: apache >Environment: BSD/OS gladsheim.ttsg.com 4.0.1 BSDI BSD/OS 4.0.1 Kernel #0: Mon Dec 13 09:54:37 EST 1999 [EMAIL PROTECTED]:/usr/src/sys/compile/GLADSHEIM i386
gladsheim% gcc -v gcc version 2.7.2.1 >Description: When attepting to log hits, the system does not log the userid and pass in the ref information if it came in with a : http://user:[EMAIL PROTECTED]/page/ format. >How-To-Repeat: 1) Create $APACHEROOT/htdocs/protected 2) Put the following .htaccess AuthUserFile $APACHEROOT/protected/.htpasswd AuthName "TEST" AuthType Basic <Limit GET> require valid-user </Limit> 3) Add an id/pass to the file 4) Put in your httpd.conf <Directory $APACHEROOT/protected> AddHandler cgi-script .cgi DirectoryIndex index.cgi index.html index.shtml AllowOverride AuthConfig Limit Options +ExecCGI </Directory> 5) Make sure CustomLog is set to "combined", or uncomment the CustomLog for referer 6) Copy $APACHEROOT/cgi-bin/printenv $APACHEROOT/htdocs/protected/index.cgi 7) Add to the bottom of the index.cgi print "\<A HREF\=\"/protected/index2.cgi\"\>TEST\<\/A\>"; 8) Access it at http://userid:[EMAIL PROTECTED]/protected It only logs as : heimdall.ttsg.com - ttsg [12/Feb/2000:13:28:19 -0500] "GET /protected/ HTTP/1.0" 200 1157 "-" "Mozilla/4.6 [en] (X11; I; BSD/OS 4.0.1 i386; Nav)" heimdall.ttsg.com - ttsg [12/Feb/2000:13:28:21 -0500] "GET /protected/index.cgi HTTP/1.0" 200 1166 "http://valhalla.ttsg.com/protected/"; "Mozilla/4.6 [en] (X11; I; BSD/OS 4.0.1 i386; Nav)" >Fix: Nope. >Release-Note: >Audit-Trail: >Unformatted: [In order for any reply to be added to the PR database, you need] [to include <[EMAIL PROTECTED]> in the Cc line and make sure the] [subject line starts with the report component and number, with ] [or without any 'Re:' prefixes (such as "general/1098:" or ] ["Re: general/1098:"). If the subject doesn't match this ] [pattern, your message will be misfiled and ignored. The ] ["apbugs" address is not added to the Cc line of messages from ] [the database automatically because of the potential for mail ] [loops. If you do not include this Cc, your reply may be ig- ] [nored unless you are responding to an explicit request from a ] [developer. Reply only with text; DO NOT SEND ATTACHMENTS! ]
