Bug#599712: [rt.cpan.org #62040] AutoReply: leaks passwords to the logs

Bugs in Apache-AuthenHook via RT bug-Apache-AuthenHook at rt.cpan.org
Mon Oct 11 05:02:56 UTC 2010


This message has been automatically generated in response to the
creation of a trouble ticket regarding:
	"leaks passwords to the logs", 
a summary of which appears below.

There is no need to reply to this message right now.  Your ticket has been
assigned an ID of [rt.cpan.org #62040].  Your ticket is accessible
on the web at:


Please include the string:

         [rt.cpan.org #62040]

in the subject line of all future correspondence about this issue. To do so, 
you may reply to this message.

                        Thank you,
                        bug-Apache-AuthenHook at rt.cpan.org

Apache::AuthenHook seemingly logs _all_ usernames and passwords, in
clear text, to the vhost's error log:

 ap_log_rerror(APLOG_MARK, APLOG_INFO, 0, r,
               "Apache::AuthenHook - user '%s', password '%s' verified",
               user, password);

As far as I can see, this behavior is not documented, and impossible to
turn off (it's hard-coded in the C file) except by raising the log
level.  I've verified that they do indeed show up in the vhost's logs:

  [Sun Oct 10 13:18:45 2010] [info] [client]
Apache::AuthenHook - user 'Sesse', password '<censored for this bug
report>' verified

There's no good reason for this except for debugging, and even in that
case, it should only be possible to enable for the Apache admin.

More information about the pkg-perl-maintainers mailing list