Greetings,
This message has been automatically generated in response to the
creation of a trouble ticket regarding:
"leaks passwords to the logs",
a summary of which appears below.
There is no need to reply to this message right now. Your ticket has been
assigned an ID of [rt.cpan.org #62040]. Your ticket is accessible
on the web at:
https://rt.cpan.org/Ticket/Display.html?id=62040
Please include the string:
[rt.cpan.org #62040]
in the subject line of all future correspondence about this issue. To do so,
you may reply to this message.
Thank you,
[email protected]
-------------------------------------------------------------------------
Apache::AuthenHook seemingly logs _all_ usernames and passwords, in
clear text, to the vhost's error log:
ap_log_rerror(APLOG_MARK, APLOG_INFO, 0, r,
"Apache::AuthenHook - user '%s', password '%s' verified",
user, password);
As far as I can see, this behavior is not documented, and impossible to
turn off (it's hard-coded in the C file) except by raising the log
level. I've verified that they do indeed show up in the vhost's logs:
[Sun Oct 10 13:18:45 2010] [info] [client 80.218.213.43]
Apache::AuthenHook - user 'Sesse', password '<censored for this bug
report>' verified
There's no good reason for this except for debugging, and even in that
case, it should only be possible to enable for the Apache admin.
--
To UNSUBSCRIBE, email to [email protected]
with a subject of "unsubscribe". Trouble? Contact [email protected]
