Greetings, This message has been automatically generated in response to the creation of a trouble ticket regarding: "leaks passwords to the logs", a summary of which appears below.
There is no need to reply to this message right now. Your ticket has been assigned an ID of [rt.cpan.org #62040]. Your ticket is accessible on the web at: https://rt.cpan.org/Ticket/Display.html?id=62040 Please include the string: [rt.cpan.org #62040] in the subject line of all future correspondence about this issue. To do so, you may reply to this message. Thank you, bug-apache-authenh...@rt.cpan.org ------------------------------------------------------------------------- Apache::AuthenHook seemingly logs _all_ usernames and passwords, in clear text, to the vhost's error log: ap_log_rerror(APLOG_MARK, APLOG_INFO, 0, r, "Apache::AuthenHook - user '%s', password '%s' verified", user, password); As far as I can see, this behavior is not documented, and impossible to turn off (it's hard-coded in the C file) except by raising the log level. I've verified that they do indeed show up in the vhost's logs: [Sun Oct 10 13:18:45 2010] [info] [client 80.218.213.43] Apache::AuthenHook - user 'Sesse', password '<censored for this bug report>' verified There's no good reason for this except for debugging, and even in that case, it should only be possible to enable for the Apache admin. -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org