On Wed, Jun 6, 2012 at 9:15 PM, Jeff Trawick wrote:
> On Wed, Jun 6, 2012 at 3:49 PM, Joe Schaefer wrote:
>> Session cookies sometimes pose a security risk as well.
>
> Yeah. That could be any cookie though although there are a few very
> common defaults :( My guess is that cookie values are mo
On Wed, Jun 6, 2012 at 3:49 PM, Joe Schaefer wrote:
> Session cookies sometimes pose a security risk as well.
Yeah. That could be any cookie though although there are a few very
common defaults :( My guess is that cookie values are more useful for
debugging crashes than Authorization headers, b
On Sat, May 26, 2012 at 9:19 AM, Rainer Jung wrote:
> On 24.05.2012 17:12, Eric Covener wrote:
>>
>> There are a couple of PR's going around about people who were using
>> rewrite to operate on URL's now kicked out of mod_rewrite by default
>> (IIRC at least proxy:blah and CONNECT arg)
>>
>> Shoul
On Thu, May 24, 2012 at 3:30 PM, William A. Rowe Jr.
wrote:
> On 5/24/2012 12:05 PM, Luke Lozier wrote:
>> One of the PCI scanning companies is demanding an upgrade to 2.4.2 due to
>> the issues
>> described in this CVE:
>>
>> Changes with Apache 2.2.23
>>
>> *) SECURITY: CVE-2012-0883 (cve.mit
Session cookies sometimes pose a security risk as well.
- Original Message -
> From: Jeff Trawick
> To: d...@httpd.apache.org; dev@httpd.apache.org
> Cc:
> Sent: Wednesday, June 6, 2012 3:46 PM
> Subject: Re: [PATCH] mod_log_forensic security considerations
>
> On Tue, May 29, 2012 at
On Tue, May 29, 2012 at 1:36 PM, Daniel Shahaf wrote:
> https://blogs.apache.org/infra/entry/apache_org_incident_report_for
>
> Infra got bit by mod_log_forensic logs including Authorization headers
> and being world-readable, so in an effort to save someone else from
> repeating this mistake how