> -Original Message-
> From: Daniel Ruggeri > Sent: Freitag, 8. Juni 2012 00:16
> To: dev@httpd.apache.org
> Subject: Re: [PATCH] mod_log_forensic security considerations
>
> On 6/7/2012 3:11 PM, Stefan Fritsch wrote:
> > On Thursday 07 June 2012, Eric Covener wrote:
> >> On Wed, Jun 6,
> -Original Message-
> From: Eric Covener []
> Sent: Donnerstag, 7. Juni 2012 19:23
> To: dev@httpd.apache.org
> Subject: Re: post-CVE-2011-4317 (rewrite proxy unintended
> interpolation) rewrite PR's
>
> On Thu, Jun 7, 2012 at 1:14 PM, Jeff Trawick wrote:
> > Eric, what was the opt-in
On 6/7/2012 3:11 PM, Stefan Fritsch wrote:
> On Thursday 07 June 2012, Eric Covener wrote:
>> On Wed, Jun 6, 2012 at 9:15 PM, Jeff Trawick
> wrote:
>>> On Wed, Jun 6, 2012 at 3:49 PM, Joe Schaefer
> wrote:
Session cookies sometimes pose a security risk as well.
>>> Yeah. That could be any
On Jun 7, 2012, at 3:11 PM, Stefan Fritsch wrote:
> I share Williams concern that this makes mod_forensic potentially less
> useful.
>
> Maybe making the forensic log mode 600 by default would be a better
> idea?
I have to agree with Jeff. I would rather have a more difficult or even
impossi
On Thu, Jun 7, 2012 at 4:11 PM, Stefan Fritsch wrote:
> On Thursday 07 June 2012, Eric Covener wrote:
>> On Wed, Jun 6, 2012 at 9:15 PM, Jeff Trawick
> wrote:
>> > On Wed, Jun 6, 2012 at 3:49 PM, Joe Schaefer
> wrote:
>> >> Session cookies sometimes pose a security risk as well.
>> >
>> > Yeah.
On Thursday 07 June 2012, Eric Covener wrote:
> On Wed, Jun 6, 2012 at 9:15 PM, Jeff Trawick
wrote:
> > On Wed, Jun 6, 2012 at 3:49 PM, Joe Schaefer
wrote:
> >> Session cookies sometimes pose a security risk as well.
> >
> > Yeah. That could be any cookie though although there are a few
> > v
On 6/7/2012 1:56 PM, Jeff Trawick wrote:
> On Thu, Jun 7, 2012 at 2:18 PM, William A. Rowe Jr.
> wrote:
>> On 6/6/2012 2:46 PM, Jeff Trawick wrote:
>>> On Tue, May 29, 2012 at 1:36 PM, Daniel Shahaf
>>> wrote:
Perhaps it would be a useful feature to allow excluding those headers
On Thu, Jun 7, 2012 at 2:18 PM, William A. Rowe Jr. wrote:
> On 6/6/2012 2:46 PM, Jeff Trawick wrote:
>> On Tue, May 29, 2012 at 1:36 PM, Daniel Shahaf
>> wrote:
>>>
>>> Perhaps it would be a useful feature to allow excluding those headers
>>> from being logged, too.
>>
>> IMO they shouldn't be
On Thu, Jun 7, 2012 at 1:14 PM, Jeff Trawick wrote:
> On Thu, Jun 7, 2012 at 11:55 AM, Joe Orton wrote:
>> On Wed, Jun 06, 2012 at 09:08:02PM -0400, Jeff Trawick wrote:
>>> Here are some valid requests which fail the 4317 checks:
>>>
>>> CONNECT foo.example.com[:port]
>>> GET http://foo.example.c
On Thu, Jun 7, 2012 at 11:55 AM, Joe Orton wrote:
> On Wed, Jun 06, 2012 at 09:08:02PM -0400, Jeff Trawick wrote:
>> Here are some valid requests which fail the 4317 checks:
>>
>> CONNECT foo.example.com[:port]
>> GET http://foo.example.com
>> GET proxy:http://foo.example.com/ (rewriting someth
On Wed, Jun 06, 2012 at 09:08:02PM -0400, Jeff Trawick wrote:
> Here are some valid requests which fail the 4317 checks:
>
> CONNECT foo.example.com[:port]
> GET http://foo.example.com
> GET proxy:http://foo.example.com/(rewriting something which was
> already proxied internally)
>
> I am lea
11 matches
Mail list logo
