Greetings,

This message has been automatically generated in response to the
creation of a trouble ticket regarding:
        "leaks passwords to the logs", 
a summary of which appears below.

There is no need to reply to this message right now.  Your ticket has been
assigned an ID of [rt.cpan.org #62040].  Your ticket is accessible
on the web at:

    https://rt.cpan.org/Ticket/Display.html?id=62040

Please include the string:

         [rt.cpan.org #62040]

in the subject line of all future correspondence about this issue. To do so, 
you may reply to this message.

                        Thank you,
                        bug-apache-authenh...@rt.cpan.org

-------------------------------------------------------------------------
Apache::AuthenHook seemingly logs _all_ usernames and passwords, in
clear text, to the vhost's error log:

 ap_log_rerror(APLOG_MARK, APLOG_INFO, 0, r,
               "Apache::AuthenHook - user '%s', password '%s' verified",
               user, password);

As far as I can see, this behavior is not documented, and impossible to
turn off (it's hard-coded in the C file) except by raising the log
level.  I've verified that they do indeed show up in the vhost's logs:

  [Sun Oct 10 13:18:45 2010] [info] [client 80.218.213.43]
Apache::AuthenHook - user 'Sesse', password '<censored for this bug
report>' verified

There's no good reason for this except for debugging, and even in that
case, it should only be possible to enable for the Apache admin.





--
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org

Reply via email to