Re: default Apache configuration

To: Ralf Dreibrodt <ralf@dreibrodt.de>
Cc: debian-security@lists.debian.org
Subject: Re: default Apache configuration
From: Janusz A.Urbanowicz <alex@bofh.torun.pl>
Date: Tue, 12 Mar 2002 15:27:35 +0100 (CET)
Message-id: <[🔎] E16knFY-0004IT-00@syjon.fantastyka.net>
In-reply-to: <[🔎] 3C8E0C63.20AC508A@dreibrodt.de> from Ralf Dreibrodt at "Mar 12, 2002 03:10:43 pm"

Ralf Dreibrodt wrote/napisał[a]/schrieb:
> Hi,
> 
> i just saw an error on a debian box with apache(-common) 1.3.9-13.2:
> 
> drwxr-xr-x   14 root     root         4096 Dec  7 13:52 /var
> drwxr-xr-x    6 root     root         4096 Mar 11 06:30 /var/log
> drwxr-xr-x    2 root     root         4096 Mar 10 06:25 /var/log/apache
> -rw-rw-r--    1 www-data nogroup    134382 Mar 12 13:45
> /var/log/apache/access.log
> 
> tail -n 1 /var/log/apache/access.log
> 127.0.0.1 - - [12/Mar/2002:13:53:15 +0100] "GET
> /cgi-bin/login.pl?user=admin&password=tztztz HTTP/1.1" 200 148
> 
> to whom belongs this problem?
> 
> the programmer, who used GET for a login or the sysadmin who shows every
> ordinary user the GET-request?

The programmer. This is a very bad practice, the password also lands in the
logs of w3caches along the way, in browser history, etc.

Alex
-- 
C _-=-_ H| Janusz A. Urbanowicz | ALEX3-RIPE | SF-F Framling |         |   *  	
 ; (_O : +-------------------------------------------------------------+ --+~|	
 ! &~) ? | Płynąć chcę na Wschód, za Suez, gdzie jest dobrem każde zło | l_|/	
A ~-=-~ O| Gdzie przykazań brak dziesięciu, a pić można aż po dno;     |   |

Reply to:

Follow-Ups:
- Re: default Apache configuration
  - From: "Justin R. Miller" <incanus@codesorcery.net>

References:
- default Apache configuration
  - From: Ralf Dreibrodt <ralf@dreibrodt.de>

Prev by Date: Re: default Apache configuration
Next by Date: Re: default Apache configuration
Previous by thread: Re: default Apache configuration
Next by thread: Re: default Apache configuration
Index(es):
- Date
- Thread