Re: default Apache configuration
Ralf Dreibrodt wrote/napisał[a]/schrieb:
> Hi,
>
> i just saw an error on a debian box with apache(-common) 1.3.9-13.2:
>
> drwxr-xr-x 14 root root 4096 Dec 7 13:52 /var
> drwxr-xr-x 6 root root 4096 Mar 11 06:30 /var/log
> drwxr-xr-x 2 root root 4096 Mar 10 06:25 /var/log/apache
> -rw-rw-r-- 1 www-data nogroup 134382 Mar 12 13:45
> /var/log/apache/access.log
>
> tail -n 1 /var/log/apache/access.log
> 127.0.0.1 - - [12/Mar/2002:13:53:15 +0100] "GET
> /cgi-bin/login.pl?user=admin&password=tztztz HTTP/1.1" 200 148
>
> to whom belongs this problem?
>
> the programmer, who used GET for a login or the sysadmin who shows every
> ordinary user the GET-request?
The programmer. This is a very bad practice, the password also lands in the
logs of w3caches along the way, in browser history, etc.
Alex
--
C _-=-_ H| Janusz A. Urbanowicz | ALEX3-RIPE | SF-F Framling | | *
; (_O : +-------------------------------------------------------------+ --+~|
! &~) ? | Płynąć chcę na Wschód, za Suez, gdzie jest dobrem każde zło | l_|/
A ~-=-~ O| Gdzie przykazań brak dziesięciu, a pić można aż po dno; | |
Reply to: