> The password is also LOGGED when the web based administration tool is > used. It can be obtained by simply grep'ing the logfile output. The > offending line is here: > <08/20/99@06:11:41> [http:1 my.computer.com] REQ:"/admin.cgi?pass=joltcola&mode=viewlog" (Mozilla/4.0 (compatible; MSIE 5.0; Windows 98)) It seems that many people still do not get the idea that POST should be used instead of GET in any situation where authentication takes place via an HTML page. The GET arguments can show up not only in a web server log, but in the log of a proxy server standing between the web server and the person trying to authenticate. Philip
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:58:00 PDT