[rt-users] Logging DB password in http-error.log

Jens Andersson jens.andersson at teleservice.net
Thu Mar 9 06:59:07 EST 2006


> > We get this message in our apache http-error.log all the time.
> >
> > 49694 Apache::DBI             need ping: 49694 Apache::DBI
> > new connect to
> > 'dbname=rt3;host=localhost^\rt_user^\password^\AutoCommit=1^
> > \PrintError=
> > 1^\Username=rt_user'
> >
> > Why are the password logged in plain text?
> 
> Did you set LogLevel to 'debug' somewhere? And why do 
> untrustworthy people have access to your log files?

No, no debug loglevel.

And of course no, there are no untrustworthy people that have access to
our log files but passwords shouldn't be stored in our log files.

// Jens



More information about the rt-users mailing list