You are viewing a plain text version of this content. The canonical link for it is here.
Posted to apache-bugdb@apache.org by Scott Ellentuch <ap...@ttsg.com> on 2000/02/12 19:38:00 UTC

mod_log-any/5747: Does not log userid/pass if brought in on URL line

>Number:         5747
>Category:       mod_log-any
>Synopsis:       Does not log userid/pass if brought in on URL line
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    apache
>State:          open
>Class:          sw-bug
>Submitter-Id:   apache
>Arrival-Date:   Sat Feb 12 10:40:00 PST 2000
>Closed-Date:
>Last-Modified:
>Originator:     apache@ttsg.com
>Release:        1.3.9
>Organization:
apache
>Environment:
BSD/OS gladsheim.ttsg.com 4.0.1 BSDI BSD/OS 4.0.1 Kernel #0: Mon Dec 13 09:54:37 EST 1999     root@gladsheim.ttsg.com:/usr/src/sys/compile/GLADSHEIM  i386

gladsheim% gcc -v
gcc version 2.7.2.1
>Description:
When attepting to log hits, the system does not log the userid and pass in
the ref information if it came in with a :

http://user:pass@site/page/

format.  
>How-To-Repeat:
1) Create $APACHEROOT/htdocs/protected
2) Put the following .htaccess
AuthUserFile $APACHEROOT/protected/.htpasswd
AuthName "TEST"
AuthType Basic
<Limit GET>
require valid-user
</Limit>
3) Add an id/pass to the file
4) Put in your httpd.conf 
<Directory $APACHEROOT/protected>
AddHandler cgi-script .cgi
DirectoryIndex index.cgi index.html index.shtml
AllowOverride AuthConfig Limit
Options +ExecCGI
</Directory>
5) Make sure CustomLog is set to "combined", or uncomment the CustomLog for
referer
6) Copy $APACHEROOT/cgi-bin/printenv $APACHEROOT/htdocs/protected/index.cgi
7) Add to the bottom of the index.cgi

print "\<A HREF\=\"/protected/index2.cgi\"\>TEST\<\/A\>";

8) Access it at http://userid:pass@site/protected

It only logs as :

heimdall.ttsg.com - ttsg [12/Feb/2000:13:28:19 -0500] "GET /protected/ HTTP/1.0" 200 1157 "-" "Mozilla/4.6 [en] (X11; I; BSD/OS 4.0.1 i386; Nav)"
heimdall.ttsg.com - ttsg [12/Feb/2000:13:28:21 -0500] "GET /protected/index.cgi HTTP/1.0" 200 1166 "http://valhalla.ttsg.com/protected/" "Mozilla/4.6 [en] (X11; I; BSD/OS 4.0.1 i386; Nav)"
>Fix:
Nope.
>Release-Note:
>Audit-Trail:
>Unformatted:
 [In order for any reply to be added to the PR database, you need]
 [to include <ap...@Apache.Org> in the Cc line and make sure the]
 [subject line starts with the report component and number, with ]
 [or without any 'Re:' prefixes (such as "general/1098:" or      ]
 ["Re: general/1098:").  If the subject doesn't match this       ]
 [pattern, your message will be misfiled and ignored.  The       ]
 ["apbugs" address is not added to the Cc line of messages from  ]
 [the database automatically because of the potential for mail   ]
 [loops.  If you do not include this Cc, your reply may be ig-   ]
 [nored unless you are responding to an explicit request from a  ]
 [developer.  Reply only with text; DO NOT SEND ATTACHMENTS!     ]