Re: default Apache configuration

To: debian-security@lists.debian.org
Subject: Re: default Apache configuration
From: "Francesco P. Lovergine" <frankie@debian.org>
Date: Tue, 12 Mar 2002 15:29:02 +0100
Message-id: <[🔎] 20020312142902.GA15403@localhost.localdomain>
Mail-followup-to: debian-security@lists.debian.org
In-reply-to: <[🔎] 3C8E0C63.20AC508A@dreibrodt.de>
References: <[🔎] 3C8E0C63.20AC508A@dreibrodt.de>

On Tue, Mar 12, 2002 at 03:10:43PM +0100, Ralf Dreibrodt wrote:
> Hi,
> 
> i just saw an error on a debian box with apache(-common) 1.3.9-13.2:
> 
> drwxr-xr-x   14 root     root         4096 Dec  7 13:52 /var
> drwxr-xr-x    6 root     root         4096 Mar 11 06:30 /var/log
> drwxr-xr-x    2 root     root         4096 Mar 10 06:25 /var/log/apache
> -rw-rw-r--    1 www-data nogroup    134382 Mar 12 13:45
> /var/log/apache/access.log
> 
> tail -n 1 /var/log/apache/access.log
> 127.0.0.1 - - [12/Mar/2002:13:53:15 +0100] "GET
> /cgi-bin/login.pl?user=admin&password=tztztz HTTP/1.1" 200 148
> 

Never use GET for password fields.

> to whom belongs this problem?
> 
> the programmer, who used GET for a login or the sysadmin who shows every
> ordinary user the GET-request?
> 
> btw, i think the apache-paket is not useable for a webhosting-server
> (e.g frontpage is missing, security is in general too bad), so i normaly

Uhm, security is also more bad if you enable frontpage extensions.
Moreover, I think there are major DFSG problems which keep
FP extensions off Debian.

-- 
Francesco P. Lovergine

Reply to:

References:
- default Apache configuration
  - From: Ralf Dreibrodt <ralf@dreibrodt.de>

Prev by Date: Re: default Apache configuration
Next by Date: Re: default Apache configuration
Previous by thread: RE: default Apache configuration
Next by thread: Re: default Apache configuration
Index(es):
- Date
- Thread