https://bz.apache.org/bugzilla/show_bug.cgi?id=66430
Bug ID: 66430
Summary: Sensitive Information Disclosure in error.log
Product: Apache httpd-2
Version: 2.4.51
Hardware: All
OS: All
Status: NEW
Severity: major
Priority: P2
Component: Core
Assignee: bugs@httpd.apache.org
Reporter: abhis...@opentext.com
Target Milestone: ---
Hi,
We found that during the startup/shutdown of the httpd server, 'notice' levels
logs are generated in error.log even though the log level of the module is
above it. As part of this, the complete path of the process is disclosed in the
log file and causes disclosure of sensitive information.
Ex - [Wed Jan 18 03:30:09.575677 2023] [core:notice] [pid 1109] AH00094:
Command line: '/usr/sbin/httpd -D FOREGROUND'
Upon further investigation we found that these logs are printed from below
file.
Please find below the code snippet from /httpd-2.4.51/server/log.c file.
if (s->error_log) {
/*
If we are doing normal logging, don't log messages that are
above the module's log level unless it is a startup/shutdown notice
*/
if ((level_and_mask != APLOG_NOTICE)
&& (level_and_mask > configured_level)) { return; }
logf = s->error_log;
}
Please let me know if there is a way to suppress this log as part of the
startup/shutdown.
If there is no other way, can it be fixed as part of the next release of the
product.
Best Regards.
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscr...@httpd.apache.org
For additional commands, e-mail: bugs-h...@httpd.apache.org
