WebApp Sec mailing list archives

RE: IIS log

From: "Michael Howard" <mikehow () microsoft com>
Date: Tue, 5 Aug 2003 12:58:04 -0700

Iis doesn't log credit card numbers!!! There's no concept of CCs in
HTTP!!! 

My guess, and it is a guess, is some other app running on top of iis is
logging the data, or the data is in the URI

Can you send me a snippet of the log?replace the CC# with something
bopgus

-----Original Message-----
From: Justin H Tran [mailto:justint () us ibm com] 
Sent: Tuesday, August 05, 2003 12:35 PM
To: webappsec () securityfocus com
Subject: IIS log





I just viewed an IIS log and I noticed that the credit card # is
loogged.
I beleive that this is a major flaw to log credit card # is clear text.
Does anyone have any advice?


Regards,
Justin

Current thread:

IIS log Justin H Tran (Aug 05)
- Re: IIS log Alejandro Flores (Aug 05)
- Re: IIS log Randy (Aug 05)
- <Possible follow-ups>
- RE: IIS log Michael Howard (Aug 05)
  - RE: IIS log Richard M. Smith (Aug 05)
- Re: IIS log dotnetter (Aug 05)
- Re: IIS log jamesworld (Aug 05)
- RE: IIS log Nelson, Ernie (Aug 05)