You are viewing a plain text version of this content. The canonical link for it is here.

Posted to cvs@httpd.apache.org by nd...@apache.org on 2010/12/18 20:56:55 UTC

svn commit: r1050700 - /httpd/httpd/trunk/docs/manual/mod/mod_authz_core.xml

Author: nd
Date: Sat Dec 18 19:56:54 2010
New Revision: 1050700

URL: http://svn.apache.org/viewvc?rev=1050700&view=rev
Log:
add security warning about the new AuthzSendForbiddenOnFailure directive.

Modified:
    httpd/httpd/trunk/docs/manual/mod/mod_authz_core.xml

Modified: httpd/httpd/trunk/docs/manual/mod/mod_authz_core.xml
URL: http://svn.apache.org/viewvc/httpd/httpd/trunk/docs/manual/mod/mod_authz_core.xml?rev=1050700&r1=1050699&r2=1050700&view=diff
==============================================================================
--- httpd/httpd/trunk/docs/manual/mod/mod_authz_core.xml (original)
+++ httpd/httpd/trunk/docs/manual/mod/mod_authz_core.xml Sat Dec 18 19:56:54 2010
@@ -603,6 +603,12 @@ authentication succeeds but authorizatio
     again, which is not wanted in all situations.
     <directive>AuthzSendForbiddenOnFailure</directive> allows to change the
     response code to '403 FORBIDDEN'.</p>
+
+    <note type="warning"><title>Security Warning</title>
+    <p>Modifying the response in case of missing authorization weakens the
+    security of the password, because it reveals to a possible attacker, that
+    his guessed password was right.</p>
+    </note>
 </usage>
 </directivesynopsis>