Bug#599712: [rt.cpan.org #62040] AutoReply: leaks passwords to the logs
Bugs in Apache-AuthenHook via RT
bug-Apache-AuthenHook at rt.cpan.org
Mon Oct 11 05:02:56 UTC 2010
Greetings,
This message has been automatically generated in response to the
creation of a trouble ticket regarding:
"leaks passwords to the logs",
a summary of which appears below.
There is no need to reply to this message right now. Your ticket has been
assigned an ID of [rt.cpan.org #62040]. Your ticket is accessible
on the web at:
https://rt.cpan.org/Ticket/Display.html?id=62040
Please include the string:
[rt.cpan.org #62040]
in the subject line of all future correspondence about this issue. To do so,
you may reply to this message.
Thank you,
bug-Apache-AuthenHook at rt.cpan.org
-------------------------------------------------------------------------
Apache::AuthenHook seemingly logs _all_ usernames and passwords, in
clear text, to the vhost's error log:
ap_log_rerror(APLOG_MARK, APLOG_INFO, 0, r,
"Apache::AuthenHook - user '%s', password '%s' verified",
user, password);
As far as I can see, this behavior is not documented, and impossible to
turn off (it's hard-coded in the C file) except by raising the log
level. I've verified that they do indeed show up in the vhost's logs:
[Sun Oct 10 13:18:45 2010] [info] [client 80.218.213.43]
Apache::AuthenHook - user 'Sesse', password '<censored for this bug
report>' verified
There's no good reason for this except for debugging, and even in that
case, it should only be possible to enable for the Apache admin.
More information about the pkg-perl-maintainers
mailing list