RE: default Apache configuration

To: "Ralf Dreibrodt" <ralf@dreibrodt.de>, <debian-security@lists.debian.org>
Subject: RE: default Apache configuration
From: Repasi Tibor <repasi.tibor@chello.hu>
Date: Tue, 12 Mar 2002 20:32:26 +0100
Message-id: <[🔎] DFEFKLNKDOFFDKLBDEEJIEEKCCAA.repasi.tibor@chello.hu>
In-reply-to: <[🔎] 3C8E109B.E891A6ED@dreibrodt.de>

Hy!

> >
> > On Tue, 12 Mar 2002, Ralf Dreibrodt wrote:
> > > tail -n 1 /var/log/apache/access.log
> > > 127.0.0.1 - - [12/Mar/2002:13:53:15 +0100] "GET
> > > /cgi-bin/login.pl?user=admin&password=tztztz HTTP/1.1" 200 148
> > >
> > > to whom belongs this problem?
> > >

I would say firstly the programmer who used GET for a password field, _and_
secondly the admin who is giving his password to a non-SSL web form!

> >
> > The programmer. There's no reason I know why the logs shouldn't be made
> > public to the users.
>
> Should really be every request a POST-request?
> I do not think, that this is a good (html)programming style, but perhaps
> i am wrong.
>
There is no reason to make every request a POST-request.
You should use post request if the request contains
 - a password field
 - a lot of data
 - data witch may modify a database at the server-side

There is no reason to use POST if the request contains only parameters like
 - keywords for a search engine
 - a session id
 - a page number

I think i've read about this in a RFC, but i don't know exactly in witch
one.


> what about apache-ssl-logs?
> has anyone the possibility to test it?
>

Yes, it's the same: everyone can read it, and the full GET requests are
enclosed.
The ssl extension only means that the server communicates over https instead
of http.

regards,
		Tibor Repasi

Reply to:

References:
- Re: default Apache configuration
  - From: Ralf Dreibrodt <ralf@dreibrodt.de>

Prev by Date: Re: MS Front page extensions for Linux
Next by Date: zlib && ssh
Previous by thread: RE: default Apache configuration
Next by thread: Re: default Apache configuration
Index(es):
- Date
- Thread