On Wed, Jun 6, 2012 at 3:49 PM, Joe Schaefer <joe_schae...@yahoo.com> wrote: > Session cookies sometimes pose a security risk as well.
Yeah. That could be any cookie though although there are a few very common defaults :( My guess is that cookie values are more useful for debugging crashes than Authorization headers, but that it should still be opt-in. Thoughts, anyone? > > > > ----- Original Message ----- >> From: Jeff Trawick <traw...@gmail.com> >> To: d...@httpd.apache.org; dev@httpd.apache.org >> Cc: >> Sent: Wednesday, June 6, 2012 3:46 PM >> Subject: Re: [PATCH] mod_log_forensic security considerations >> >> On Tue, May 29, 2012 at 1:36 PM, Daniel Shahaf <d...@daniel.shahaf.name> >> wrote: >>> https://blogs.apache.org/infra/entry/apache_org_incident_report_for >>> >>> Infra got bit by mod_log_forensic logs including Authorization headers >>> and being world-readable, so in an effort to save someone else from >>> repeating this mistake how about adding it to the "Security >>> considerations" section of the documentation: >>> >>> [[[ >>> Index: docs/manual/mod/mod_log_forensic.xml >>> =================================================================== >>> --- docs/manual/mod/mod_log_forensic.xml (revision 1342688) >>> +++ docs/manual/mod/mod_log_forensic.xml (working copy) >>> @@ -93,6 +93,10 @@ >>> document for details on why your security could be compromised >>> if the directory where logfiles are stored is writable by >>> anyone other than the user that starts the server.</p> >>> + <p>The logfiles may contain sensitive data such as the contents >> of >>> + <code>Authorization:</code> headers (which can contain >> passwords), so >>> + they should not be readable by anyone except the user that starts the >>> + server.</p> >>> </section> >>> >>> <directivesynopsis> >>> ]]] >>> >>> Perhaps it would be a useful feature to allow excluding those headers >>> from being logged, too. >> >> IMO they shouldn't be logged by default (if at all). >> Proxy-Authorization also needs to be handled. (Anything else? My >> search query foo is particularly bad today.) >> >> Attached is a potential code fix... I guess a directive could be >> added to allow them to be logged, but when would that be needed? (A. >> When the request crashes due to the exact value of one of these >> headers and the module author needs it for debugging.) >> >> -- >> Born in Roswell... married an alien... >> http://emptyhammock.com/ >> >> >> --------------------------------------------------------------------- >> To unsubscribe, e-mail: docs-unsubscr...@httpd.apache.org >> For additional commands, e-mail: docs-h...@httpd.apache.org >> > > --------------------------------------------------------------------- > To unsubscribe, e-mail: docs-unsubscr...@httpd.apache.org > For additional commands, e-mail: docs-h...@httpd.apache.org > -- Born in Roswell... married an alien... http://emptyhammock.com/
