Re: default Apache configuration

To: debian-security@lists.debian.org
Subject: Re: default Apache configuration
From: Ralf Dreibrodt <ralf@dreibrodt.de>
Date: Tue, 12 Mar 2002 15:28:43 +0100
Message-id: <[🔎] 3C8E109B.E891A6ED@dreibrodt.de>
References: <[🔎] Pine.LNX.4.21.0203121418330.26051-100000@pinkstuff.transformers.org.uk>

Hi,

Thomas Thurman wrote:
> 
> On Tue, 12 Mar 2002, Ralf Dreibrodt wrote:
> > tail -n 1 /var/log/apache/access.log
> > 127.0.0.1 - - [12/Mar/2002:13:53:15 +0100] "GET
> > /cgi-bin/login.pl?user=admin&password=tztztz HTTP/1.1" 200 148
> >
> > to whom belongs this problem?
> >
> > the programmer, who used GET for a login or the sysadmin who shows every
> > ordinary user the GET-request?
> 
> The programmer. There's no reason I know why the logs shouldn't be made
> public to the users.

What about session-ids?
Should really be every request a POST-request?
I do not think, that this is a good (html)programming style, but perhaps
i am wrong.

what about apache-ssl-logs?
has anyone the possibility to test it?

> > btw, i think the apache-paket is not useable for a webhosting-server
> > (e.g frontpage is missing, security is in general too bad), so i normaly
> > do not use it.
> 
> Meep. You said frontpage.

well, german customers/endusers want to have frontpage, the big companys
(schlund, strato, etc.) offer frontpage, so every small
webhostingcompany has to do the same...unfortunalety.

bye,
Ralf

Reply to:

Follow-Ups:
- Re: default Apache configuration
  - From: Simon Huggins <huggie@earth.li>
- RE: default Apache configuration
  - From: Repasi Tibor <repasi.tibor@chello.hu>

References:
- Re: default Apache configuration
  - From: Thomas Thurman <tjat2@thurman.org.uk>

Prev by Date: Re: default Apache configuration
Next by Date: Re: default Apache configuration
Previous by thread: Re: default Apache configuration
Next by thread: Re: default Apache configuration
Index(es):
- Date
- Thread