On Wed, Oct 24, 2001 at 09:09:59PM +0100, smiler wrote: > Donīt know if this has been brought before. > Itīs possible to "cheat" a Apache SysAdministrator and make him think that > his server didnīt log a HTTP request or make him think that a request has > been made by another Ip address. The insertion of control characters that get recorded in the log file is documented, and not at all buried deep in the documentation: http://httpd.apache.org/docs/logs.html "In addition, log files may contain information supplied directly by the client, without escaping. Therefore, it is possible for malicious clients to insert control-characters in the log files, so care must be taken in dealing with raw logs." -- Jurjen Oskam * http://www.stupendous.org/ for PGP key * Q265230 9:19am up 22:42, 1 user, load average: 0.00, 0.00, 0.00
This archive was generated by hypermail 2b30 : Thu Oct 25 2001 - 10:31:28 PDT