Re: prevent cgi-bin script execution prior to authorization dialog success

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

> Here's from the access.log:
> 127.0.0.1 - - [14/Aug/2018:19:33:28 -0700] "GET /wormbot/img/icon_delete.png HTTP/1.1" 401 736 "http://127.0.0.1/cgi-bin/experimentbrowser"; "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:61.0) Gecko/20100101 Firefox/61.0"
> 127.0.0.1 - - [14/Aug/2018:19:33:28 -0700] "GET /wormbot/img/icon_download.png HTTP/1.1" 401 736 "http://127.0.0.1/cgi-bin/experimentbrowser"; "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:61.0) Gecko/20100101 Firefox/61.0"
> 127.0.0.1 - - [14/Aug/2018:19:33:28 -0700] "GET /favicon.ico HTTP/1.1" 404 500 "-" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:61.0) Gecko/20100101 Firefox/61.0"
> 127.0.0.1 - - [14/Aug/2018:19:33:28 -0700] "GET /favicon.ico HTTP/1.1" 404 500 "-" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:61.0) Gecko/20100101 Firefox/61.0"
> 127.0.0.1 - - [14/Aug/2018:19:33:51 -0700] "GET /cgi-bin/experimentbrowser HTTP/1.1" 200 3867 "-" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:61.0) Gecko/20100101 Firefox/61.0"
> 127.0.0.1 - - [14/Aug/2018:19:33:52 -0700] "GET /wormbot/img/icon_delete.png HTTP/1.1" 401 735 "http://127.0.0.1/cgi-bin/experimentbrowser"; "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:61.0) Gecko/20100101 Firefox/61.0"
> 127.0.0.1 - - [14/Aug/2018:19:33:52 -0700] "GET /wormbot/img/icon_download.png HTTP/1.1" 401 735 "http://127.0.0.1/cgi-bin/experimentbrowser"; "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:61.0) Gecko/20100101 Firefox/61.0"
> 127.0.0.1 - - [14/Aug/2018:19:33:58 -0700] "GET /favicon.ico HTTP/1.1" 404 501 "-" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:61.0) Gecko/20100101 Firefox/61.0"
>

Looks like two page loads 30 seconds apart, but I notice there is no
request for the CGI itself for the first one but requests for the page
elements.
Are you sure there's no browser caching in the way here?  And perhaps
the basic auth credentials are cached for the /cgi-bin/ path but the
browser doesn't send them automatically for the static elements that
don't share a context root?

A private/incognito window, or temporarily logging %{Authorization}i
might clear some things up.

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx
For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
[Index of Archives]     [Open SSH Users]     [Linux ACPI]     [Linux Kernel]     [Linux Laptop]     [Kernel Newbies]     [Security]     [Netfilter]     [Bugtraq]     [Squid]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Samba]     [Video 4 Linux]     [Device Mapper]

  Powered by Linux