[Techtalk] webalizer stats and ?query strings

Brenda Bell k15a-list-linuxchix at theotherbell.com
Thu Feb 6 16:20:52 EST 2003


Quoting Katie Bechtold <katie at katie-and-rob.org>:

> [I wonder whether the
> webalizer developers didn't originally include those characters
> because they thought most people wouldn't want to distinguish
> query
> strings or because it might create a security vulnerability (would
> it?).]

Short of a site that uses query strings for logins and passwords (bad,
bad, bad), I can't think of any reason why it would be.  After all,
webalizer is only reporting information that's already in the log to
begin with; any security vulnerabilities would really be the fault of
the web application (get vs. post).  Seems to me they were simply
short-sighted in their thinking that the query string would never be
required to uniquely identify the destination URL.

Incidentally, I had never heard of Webalizer until I saw these posts.
 Thanks, Emma :)

-- 
Brenda
http://opensource.theotherbell.com




More information about the Techtalk mailing list