Re: squid logging full GET URL

From: Jonathan Larmour <[email protected]>
Date: Sun, 22 Jun 1997 18:30:58 +0100

At 11:38 22/06/97 -0400, Evan Champion wrote:
>Cord Beermann wrote:
>> <IMHO>I think that security hole is the one who wrote the cgi (or
>> whatever) which puts passwords on the URL.</IMHO>
>
>I totally agree, but that doesn't change the fact that people still do
>it.

And with something with such a dreadful password system, its highly
unlikely to protect anything important, otherwise they would use a better
system. All you need to find someone's password for things is to look at
the history in their browser.

>> If I produce statistics I strip all data after the ? from the URL.
>
>Yes, but data after the ? is still in the access log. It doesn't really
>contribute much to me, and is a big security hole.

No it isn't. Having your logs world-readable is a security risk. You should
make sure the logs directory is only readable by the user squid runs as. If
you think this isn't safe because someone might hack your server, I can
assure you that if they did, they could do much worse things than that. You
can't trust squid if you can't trust the security of the server you run it on.

Anyway, full logging would sometimes be important to know the full URL of
something for debugging.

Jonathan L.

Origin UK,323 Cambridge Science Park,Cambridge,England. Tel: +44(1223)423355
------[ Do not think that every sad-eyed woman has loved and lost... ]------
April 12th! Ra!Ra!----[ she may have got him. -Anon ]-----April 12th! Ra!Ra!
Help fight spam! http://spam.abuse.net/ These opinions are all my own fault
Received on Sun Jun 22 1997 - 10:39:34 MDT

This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 16:35:33 MST