From: André Malo <nd@apache.org>
Date: Sat, 18 Dec 2010 19:56:54 +0000 (+0000)
Subject: add security warning about the new AuthzSendForbiddenOnFailure directive.
X-Git-Tag: 2.3.11~366
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=12ef4855bd91c7ee3b3b898a6fd86efaf21f0f4b;p=thirdparty%2Fapache%2Fhttpd.git

add security warning about the new AuthzSendForbiddenOnFailure directive.


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1050700 13f79535-47bb-0310-9956-ffa450edef68
---

diff --git a/docs/manual/mod/mod_authz_core.xml b/docs/manual/mod/mod_authz_core.xml
index 262240d4867..03a3648ff36 100644
--- a/docs/manual/mod/mod_authz_core.xml
+++ b/docs/manual/mod/mod_authz_core.xml
@@ -603,6 +603,12 @@ authentication succeeds but authorization fails
     again, which is not wanted in all situations.
     <directive>AuthzSendForbiddenOnFailure</directive> allows to change the
     response code to '403 FORBIDDEN'.</p>
+
+    <note type="warning"><title>Security Warning</title>
+    <p>Modifying the response in case of missing authorization weakens the
+    security of the password, because it reveals to a possible attacker, that
+    his guessed password was right.</p>
+    </note>
 </usage>
 </directivesynopsis>