On Tue, Mar 12, 2002 at 03:10:43PM +0100, Ralf Dreibrodt wrote: > Hi, > > i just saw an error on a debian box with apache(-common) 1.3.9-13.2: > > drwxr-xr-x 14 root root 4096 Dec 7 13:52 /var > drwxr-xr-x 6 root root 4096 Mar 11 06:30 /var/log > drwxr-xr-x 2 root root 4096 Mar 10 06:25 /var/log/apache > -rw-rw-r-- 1 www-data nogroup 134382 Mar 12 13:45 > /var/log/apache/access.log > > tail -n 1 /var/log/apache/access.log > 127.0.0.1 - - [12/Mar/2002:13:53:15 +0100] "GET > /cgi-bin/login.pl?user=admin&password=tztztz HTTP/1.1" 200 148 >
Never use GET for password fields. > to whom belongs this problem? > > the programmer, who used GET for a login or the sysadmin who shows every > ordinary user the GET-request? > > btw, i think the apache-paket is not useable for a webhosting-server > (e.g frontpage is missing, security is in general too bad), so i normaly Uhm, security is also more bad if you enable frontpage extensions. Moreover, I think there are major DFSG problems which keep FP extensions off Debian. -- Francesco P. Lovergine -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
