> The password is also LOGGED when the web based administration tool is
> used. It can be obtained by simply grep'ing the logfile output. The
> offending line is here:
> <08/20/99@06:11:41> [http:1 my.computer.com]
REQ:"/admin.cgi?pass=joltcola&mode=viewlog" (Mozilla/4.0 (compatible; MSIE
5.0; Windows 98))
It seems that many people still do not get the idea that POST should be
used instead of GET in any situation where authentication takes place via
an HTML page. The GET arguments can show up not only in a web server log,
but in the log of a proxy server standing between the web server and the
person trying to authenticate.
Philip
