You are viewing a plain text version of this content. The canonical link for it is here.

Posted to bugs@httpd.apache.org by bu...@apache.org on 2023/01/18 10:08:16 UTC

[Bug 66430] New: Sensitive Information Disclosure in error.log

https://bz.apache.org/bugzilla/show_bug.cgi?id=66430

            Bug ID: 66430
           Summary: Sensitive Information Disclosure in error.log
           Product: Apache httpd-2
           Version: 2.4.51
          Hardware: All
                OS: All
            Status: NEW
          Severity: major
          Priority: P2
         Component: Core
          Assignee: bugs@httpd.apache.org
          Reporter: abhiseks@opentext.com
  Target Milestone: ---

Hi,

We found that during the startup/shutdown of the httpd server, 'notice' levels
logs are generated in error.log even though the log level of the module is
above it. As part of this, the complete path of the process is disclosed in the
log file and causes disclosure of sensitive information.

Ex - [Wed Jan 18 03:30:09.575677 2023] [core:notice] [pid 1109] AH00094:
Command line: '/usr/sbin/httpd -D FOREGROUND'

Upon further investigation we found that these logs are printed from below
file.
Please find below the code snippet from /httpd-2.4.51/server/log.c file.
if (s->error_log) {
/*
If we are doing normal logging, don't log messages that are
above the module's log level unless it is a startup/shutdown notice
*/
if ((level_and_mask != APLOG_NOTICE)
&& (level_and_mask > configured_level)) { return; }
logf = s->error_log;
}

Please let me know if there is a way to suppress this log as part of the
startup/shutdown.
If there is no other way, can it be fixed as part of the next release of the
product.

Best Regards.

-- 
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org

[Bug 66430] Sensitive Information Disclosure in error.log

Posted by bu...@apache.org.

https://bz.apache.org/bugzilla/show_bug.cgi?id=66430

Joe Orton <jo...@redhat.com> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|NEW                         |RESOLVED
         Resolution|---                         |INVALID

--- Comment #1 from Joe Orton <jo...@redhat.com> ---
You seem to imply the path to the httpd binary is "sensitive information" for
an administrator privileged to read error_log, which seems quite ludicrous.

If you need to create a "sanitized" error_log you should do that with a
filtering piped logger.

-- 
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org