https://bz.apache.org/bugzilla/show_bug.cgi?id=66430
Bug ID: 66430 Summary: Sensitive Information Disclosure in error.log Product: Apache httpd-2 Version: 2.4.51 Hardware: All OS: All Status: NEW Severity: major Priority: P2 Component: Core Assignee: bugs@httpd.apache.org Reporter: abhis...@opentext.com Target Milestone: --- Hi, We found that during the startup/shutdown of the httpd server, 'notice' levels logs are generated in error.log even though the log level of the module is above it. As part of this, the complete path of the process is disclosed in the log file and causes disclosure of sensitive information. Ex - [Wed Jan 18 03:30:09.575677 2023] [core:notice] [pid 1109] AH00094: Command line: '/usr/sbin/httpd -D FOREGROUND' Upon further investigation we found that these logs are printed from below file. Please find below the code snippet from /httpd-2.4.51/server/log.c file. if (s->error_log) { /* If we are doing normal logging, don't log messages that are above the module's log level unless it is a startup/shutdown notice */ if ((level_and_mask != APLOG_NOTICE) && (level_and_mask > configured_level)) { return; } logf = s->error_log; } Please let me know if there is a way to suppress this log as part of the startup/shutdown. If there is no other way, can it be fixed as part of the next release of the product. Best Regards. -- You are receiving this mail because: You are the assignee for the bug. --------------------------------------------------------------------- To unsubscribe, e-mail: bugs-unsubscr...@httpd.apache.org For additional commands, e-mail: bugs-h...@httpd.apache.org