You are viewing a plain text version of this content. The canonical link for it is here.
Posted to cvs@httpd.apache.org by nd...@apache.org on 2010/12/18 20:56:55 UTC
svn commit: r1050700 - /httpd/httpd/trunk/docs/manual/mod/mod_authz_core.xml
Author: nd
Date: Sat Dec 18 19:56:54 2010
New Revision: 1050700
URL: http://svn.apache.org/viewvc?rev=1050700&view=rev
Log:
add security warning about the new AuthzSendForbiddenOnFailure directive.
Modified:
httpd/httpd/trunk/docs/manual/mod/mod_authz_core.xml
Modified: httpd/httpd/trunk/docs/manual/mod/mod_authz_core.xml
URL: http://svn.apache.org/viewvc/httpd/httpd/trunk/docs/manual/mod/mod_authz_core.xml?rev=1050700&r1=1050699&r2=1050700&view=diff
==============================================================================
--- httpd/httpd/trunk/docs/manual/mod/mod_authz_core.xml (original)
+++ httpd/httpd/trunk/docs/manual/mod/mod_authz_core.xml Sat Dec 18 19:56:54 2010
@@ -603,6 +603,12 @@ authentication succeeds but authorizatio
again, which is not wanted in all situations.
<directive>AuthzSendForbiddenOnFailure</directive> allows to change the
response code to '403 FORBIDDEN'.</p>
+
+ <note type="warning"><title>Security Warning</title>
+ <p>Modifying the response in case of missing authorization weakens the
+ security of the password, because it reveals to a possible attacker, that
+ his guessed password was right.</p>
+ </note>
</usage>
</directivesynopsis>