Verification field stored in www_server_4991.log
- Article Type: General
- Product: Aleph
- Product Version: 18.01
Description:
Problem:
For some X services such as BOR-AUTH it is mandatory to enter the user password and verification.
But, the verification also appears in the www log file.
This of course is a security problem. The verification should not appear in the log file.
Example:
If I do this:
http://il-aleph07:8993/X?op=bor-auth&library=usm50&bor_id=313972002
Then I get an error message: "Both Bor_Id and Verification must be supplied"
If I do this then it works:
http://il-aleph07:8993/X?op=bor-auth&library=usm50&bor_id=313972002&verification=313972002
But the log file stores the verification and this is considered a security breach.
2010-03-17 12:43:42 74 [000] [vrb] server_main: OUT 0.0382 435
2010-03-17 12:44:00 17 [000] [vrb] IN 20100317 124400
ip address: 10.1.234.8 587
request: "/X?op=bor-auth&library=usm50&bor_id=313972002&verification=313972002"
X SERVICE: BOR-AUTH
Do not want verification stored in the www_server log file.
Resolution:
Fixed in v.20 by rpc #3339
- Article last edited: 10/8/2013