0

Possible Duplicate:
Is it possible to exclude specified GET parameters in apache access logs?

There has a security hole hidden in apache's log:

such as if you input a URL about http://localhost/meeting/import.php?cmd=admin&password=pass&userName=hsh&meetingID=123 into the browser,then the access.log will complete record it, so this is a security question because it recording the security parameter:cmd=admin&password=pass&userName=hsh&meetingID=123.

Now,I want to control my log printing that make the parameter replaced with @ symbol, if I execute a url which not including security parameter such as http://localhost/meeting/op.do, access.log must record it, but if I input a url which incuding security parameter such as http://localhost/meeting/import.php>?cmd=admin&password=pass&userName=hsh&meetingID=123 ,then the regular expression replacement must work and it will sove: http://localhost/meeting/import.php?cmd=@@&password=@@&userName=@@&meetingID=@@ into logs,What should I go to achieve? remind:My develop environment is W7.thanks!

4

0 に答える 0