0

Possible Duplicate:
Is it possible to exclude specified GET parameters in apache access logs?

There has a security hole hidden in apache's log:

such as if you input a URL about http://localhost/meeting/import.php?cmd=admin&password=pass&userName=hsh&meetingID=123 into the browser,then the access.log will complete record it, so this is a security question because it recording the security parameter:cmd=admin&password=pass&userName=hsh&meetingID=123.

Now,I want to control my log printing that make the parameter replaced with @ symbol, if I execute a url which not including security parameter such as http://localhost/meeting/op.do, access.log must record it, but if I input a url which incuding security parameter such as http://localhost/meeting/import.php>?cmd=admin&password=pass&userName=hsh&meetingID=123 ,then the regular expression replacement must work and it will sove: http://localhost/meeting/import.php?cmd=@@&password=@@&userName=@@&meetingID=@@ into logs,What should I go to achieve? remind:My develop environment is W7.thanks!

Community
  • 1
  • 1
ShuiHua Huang
  • 3
  • 4
  • 1
    If your GET params contain sensitive information, your web application is designed faulty. In this case, log file contents should be your least concern! Anyway, see [Is it possible to exclude specified GET parameters in apache access logs](http://stackoverflow.com/questions/9467405) for a solution. – f_puras Sep 17 '12 at 14:25
  • Thanks for your response,and i am extremely agree with you opinion about my faulty APP design,but I want to know if there is a solution for this case or not. – ShuiHua Huang Sep 18 '12 at 02:08

0 Answers0