WebApp Sec mailing list archives
RE: IIS log
From: "Richard M. Smith" <rms () computerbytesman com>
Date: Tue, 5 Aug 2003 16:07:38 -0400
If someone is using the GET method in a form that accepts credit card numbers, then the numbers will end up in a log file. Forms that accept personal information should always use the POST method. Richard -----Original Message----- From: Michael Howard [mailto:mikehow () microsoft com] Sent: Tuesday, August 05, 2003 3:58 PM To: Justin H Tran; webappsec () securityfocus com Subject: RE: IIS log Iis doesn't log credit card numbers!!! There's no concept of CCs in HTTP!!! My guess, and it is a guess, is some other app running on top of iis is logging the data, or the data is in the URI Can you send me a snippet of the log?replace the CC# with something bopgus -----Original Message----- From: Justin H Tran [mailto:justint () us ibm com] Sent: Tuesday, August 05, 2003 12:35 PM To: webappsec () securityfocus com Subject: IIS log I just viewed an IIS log and I noticed that the credit card # is loogged. I beleive that this is a major flaw to log credit card # is clear text. Does anyone have any advice? Regards, Justin
Current thread:
- IIS log Justin H Tran (Aug 05)
- Re: IIS log Alejandro Flores (Aug 05)
- Re: IIS log Randy (Aug 05)
- <Possible follow-ups>
- RE: IIS log Michael Howard (Aug 05)
- RE: IIS log Richard M. Smith (Aug 05)
- Re: IIS log dotnetter (Aug 05)
- Re: IIS log jamesworld (Aug 05)
- RE: IIS log Nelson, Ernie (Aug 05)