Received: (qmail 58646 invoked by uid 65534); 12 Feb 2000 18:38:00 -0000 Message-Id: <20000212183800.58645.qmail@locus.apache.org> Date: 12 Feb 2000 18:38:00 -0000 From: Scott Ellentuch Reply-To: apache@ttsg.com To: submit@bugz.apache.org Subject: Does not log userid/pass if brought in on URL line X-Send-Pr-Version: 3.110 >Number: 5747 >Category: mod_log-any >Synopsis: Does not log userid/pass if brought in on URL line >Confidential: no >Severity: serious >Priority: medium >Responsible: apache >State: closed >Quarter: >Keywords: >Date-Required: >Class: sw-bug >Submitter-Id: apache >Arrival-Date: Sat Feb 12 10:40:00 PST 2000 >Closed-Date: Wed May 03 13:13:21 PDT 2000 >Last-Modified: Wed May 03 13:13:21 PDT 2000 >Originator: apache@ttsg.com >Release: 1.3.9 >Organization: >Environment: BSD/OS gladsheim.ttsg.com 4.0.1 BSDI BSD/OS 4.0.1 Kernel #0: Mon Dec 13 09:54:37 EST 1999 root@gladsheim.ttsg.com:/usr/src/sys/compile/GLADSHEIM i386 gladsheim% gcc -v gcc version 2.7.2.1 >Description: When attepting to log hits, the system does not log the userid and pass in the ref information if it came in with a : http://user:pass@site/page/ format. >How-To-Repeat: 1) Create $APACHEROOT/htdocs/protected 2) Put the following .htaccess AuthUserFile $APACHEROOT/protected/.htpasswd AuthName "TEST" AuthType Basic require valid-user 3) Add an id/pass to the file 4) Put in your httpd.conf AddHandler cgi-script .cgi DirectoryIndex index.cgi index.html index.shtml AllowOverride AuthConfig Limit Options +ExecCGI 5) Make sure CustomLog is set to "combined", or uncomment the CustomLog for referer 6) Copy $APACHEROOT/cgi-bin/printenv $APACHEROOT/htdocs/protected/index.cgi 7) Add to the bottom of the index.cgi print "\TEST\<\/A\>"; 8) Access it at http://userid:pass@site/protected It only logs as : heimdall.ttsg.com - ttsg [12/Feb/2000:13:28:19 -0500] "GET /protected/ HTTP/1.0" 200 1157 "-" "Mozilla/4.6 [en] (X11; I; BSD/OS 4.0.1 i386; Nav)" heimdall.ttsg.com - ttsg [12/Feb/2000:13:28:21 -0500] "GET /protected/index.cgi HTTP/1.0" 200 1166 "http://valhalla.ttsg.com/protected/" "Mozilla/4.6 [en] (X11; I; BSD/OS 4.0.1 i386; Nav)" >Fix: Nope. >Release-Note: >Audit-Trail: From: Marc Slemko To: Apache bugs database Cc: Subject: Re: mod_log-any/5747 (fwd) Date: Mon, 21 Feb 2000 11:41:17 -0700 (MST) ---------- Forwarded message ---------- Date: Sat, 12 Feb 2000 15:57:25 -0500 (EST) From: TTSG To: Marc Slemko Subject: Re: mod_log-any/5747 > > Sorry, I think you had better look again. The client doesn't send it, > period. If it did sent it in some cases, then that would be a major > security hole and should be fixed in the client. As it is, allowing this > to be specified in the URL is a security hole and should never have been > implemented by browsers. The way it is implemented is a hack that only > partially works and has numerous problems. > From a Netscape server log : format=%Ses->client.ip% - %Req->vars.auth-user% [%SYSDATE%] "%Req->reqpb.clf-re uest%" %Req->srvhdrs.clf-status% %Req->srvhdrs.content-length% "%Req->headers.r ferer%" "%Req->headers.user-agent%" 208.33.224.36 - - [12/Feb/2000:12:54:27 -0800] "GET /protected/news2.htm HTTP/1. 0" 401 223 "http://furer:deg6@207.87.7.16/mea1x.htm" "Mozilla/4.03 [en] (Win95; I)" Tuc/TTSG State-Changed-From-To: open-closed State-Changed-By: coar State-Changed-When: Wed May 3 13:13:21 PDT 2000 State-Changed-Why: According to RFC 1738, section 3.3, usernames and passwords are NOT ALLOWED in http-schemed URLs. So even if some browsers and servers support this, it is technically illegal and Apache is perfectly correct in ignoring the auth information passed thusly. >Unformatted: [In order for any reply to be added to the PR database, you need] [to include in the Cc line and make sure the] [subject line starts with the report component and number, with ] [or without any 'Re:' prefixes (such as "general/1098:" or ] ["Re: general/1098:"). If the subject doesn't match this ] [pattern, your message will be misfiled and ignored. The ] ["apbugs" address is not added to the Cc line of messages from ] [the database automatically because of the potential for mail ] [loops. If you do not include this Cc, your reply may be ig- ] [nored unless you are responding to an explicit request from a ] [developer. Reply only with text; DO NOT SEND ATTACHMENTS! ]