Session cookies sometimes pose a security risk as well.
----- Original Message ----- > From: Jeff Trawick <traw...@gmail.com> > To: docs@httpd.apache.org; d...@httpd.apache.org > Cc: > Sent: Wednesday, June 6, 2012 3:46 PM > Subject: Re: [PATCH] mod_log_forensic security considerations > > On Tue, May 29, 2012 at 1:36 PM, Daniel Shahaf <d...@daniel.shahaf.name> > wrote: >> https://blogs.apache.org/infra/entry/apache_org_incident_report_for >> >> Infra got bit by mod_log_forensic logs including Authorization headers >> and being world-readable, so in an effort to save someone else from >> repeating this mistake how about adding it to the "Security >> considerations" section of the documentation: >> >> [[[ >> Index: docs/manual/mod/mod_log_forensic.xml >> =================================================================== >> --- docs/manual/mod/mod_log_forensic.xml (revision 1342688) >> +++ docs/manual/mod/mod_log_forensic.xml (working copy) >> @@ -93,6 +93,10 @@ >> document for details on why your security could be compromised >> if the directory where logfiles are stored is writable by >> anyone other than the user that starts the server.</p> >> + <p>The logfiles may contain sensitive data such as the contents > of >> + <code>Authorization:</code> headers (which can contain > passwords), so >> + they should not be readable by anyone except the user that starts the >> + server.</p> >> </section> >> >> <directivesynopsis> >> ]]] >> >> Perhaps it would be a useful feature to allow excluding those headers >> from being logged, too. > > IMO they shouldn't be logged by default (if at all). > Proxy-Authorization also needs to be handled. (Anything else? My > search query foo is particularly bad today.) > > Attached is a potential code fix... I guess a directive could be > added to allow them to be logged, but when would that be needed? (A. > When the request crashes due to the exact value of one of these > headers and the module author needs it for debugging.) > > -- > Born in Roswell... married an alien... > http://emptyhammock.com/ > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: docs-unsubscr...@httpd.apache.org > For additional commands, e-mail: docs-h...@httpd.apache.org > --------------------------------------------------------------------- To unsubscribe, e-mail: docs-unsubscr...@httpd.apache.org For additional commands, e-mail: docs-h...@httpd.apache.org
