You are viewing a plain text version of this content. The canonical link for it is here.
Posted to apache-bugdb@apache.org by Scott Ellentuch <ap...@ttsg.com> on 2000/02/12 19:38:00 UTC
mod_log-any/5747: Does not log userid/pass if brought in on URL line
>Number: 5747
>Category: mod_log-any
>Synopsis: Does not log userid/pass if brought in on URL line
>Confidential: no
>Severity: serious
>Priority: medium
>Responsible: apache
>State: open
>Class: sw-bug
>Submitter-Id: apache
>Arrival-Date: Sat Feb 12 10:40:00 PST 2000
>Closed-Date:
>Last-Modified:
>Originator: apache@ttsg.com
>Release: 1.3.9
>Organization:
apache
>Environment:
BSD/OS gladsheim.ttsg.com 4.0.1 BSDI BSD/OS 4.0.1 Kernel #0: Mon Dec 13 09:54:37 EST 1999 root@gladsheim.ttsg.com:/usr/src/sys/compile/GLADSHEIM i386
gladsheim% gcc -v
gcc version 2.7.2.1
>Description:
When attepting to log hits, the system does not log the userid and pass in
the ref information if it came in with a :
http://user:pass@site/page/
format.
>How-To-Repeat:
1) Create $APACHEROOT/htdocs/protected
2) Put the following .htaccess
AuthUserFile $APACHEROOT/protected/.htpasswd
AuthName "TEST"
AuthType Basic
<Limit GET>
require valid-user
</Limit>
3) Add an id/pass to the file
4) Put in your httpd.conf
<Directory $APACHEROOT/protected>
AddHandler cgi-script .cgi
DirectoryIndex index.cgi index.html index.shtml
AllowOverride AuthConfig Limit
Options +ExecCGI
</Directory>
5) Make sure CustomLog is set to "combined", or uncomment the CustomLog for
referer
6) Copy $APACHEROOT/cgi-bin/printenv $APACHEROOT/htdocs/protected/index.cgi
7) Add to the bottom of the index.cgi
print "\<A HREF\=\"/protected/index2.cgi\"\>TEST\<\/A\>";
8) Access it at http://userid:pass@site/protected
It only logs as :
heimdall.ttsg.com - ttsg [12/Feb/2000:13:28:19 -0500] "GET /protected/ HTTP/1.0" 200 1157 "-" "Mozilla/4.6 [en] (X11; I; BSD/OS 4.0.1 i386; Nav)"
heimdall.ttsg.com - ttsg [12/Feb/2000:13:28:21 -0500] "GET /protected/index.cgi HTTP/1.0" 200 1166 "http://valhalla.ttsg.com/protected/" "Mozilla/4.6 [en] (X11; I; BSD/OS 4.0.1 i386; Nav)"
>Fix:
Nope.
>Release-Note:
>Audit-Trail:
>Unformatted:
[In order for any reply to be added to the PR database, you need]
[to include <ap...@Apache.Org> in the Cc line and make sure the]
[subject line starts with the report component and number, with ]
[or without any 'Re:' prefixes (such as "general/1098:" or ]
["Re: general/1098:"). If the subject doesn't match this ]
[pattern, your message will be misfiled and ignored. The ]
["apbugs" address is not added to the Cc line of messages from ]
[the database automatically because of the potential for mail ]
[loops. If you do not include this Cc, your reply may be ig- ]
[nored unless you are responding to an explicit request from a ]
[developer. Reply only with text; DO NOT SEND ATTACHMENTS! ]