WebApp Sec mailing list archives

RE: IIS log

From: "Richard M. Smith" <rms () computerbytesman com>
Date: Tue, 5 Aug 2003 16:07:38 -0400

If someone is using the GET method in a form that accepts credit card
numbers, then the numbers will end up in a log file.  Forms that accept
personal information should always use the POST method.

Richard

-----Original Message-----
From: Michael Howard [mailto:mikehow () microsoft com] 
Sent: Tuesday, August 05, 2003 3:58 PM
To: Justin H Tran; webappsec () securityfocus com
Subject: RE: IIS log

Iis doesn't log credit card numbers!!! There's no concept of CCs in
HTTP!!! 

My guess, and it is a guess, is some other app running on top of iis is
logging the data, or the data is in the URI

Can you send me a snippet of the log?replace the CC# with something
bopgus

-----Original Message-----
From: Justin H Tran [mailto:justint () us ibm com] 
Sent: Tuesday, August 05, 2003 12:35 PM
To: webappsec () securityfocus com
Subject: IIS log

I just viewed an IIS log and I noticed that the credit card # is
loogged.
I beleive that this is a major flaw to log credit card # is clear text.
Does anyone have any advice?

Regards,
Justin

Current thread:

IIS log Justin H Tran (Aug 05)
- Re: IIS log Alejandro Flores (Aug 05)
- Re: IIS log Randy (Aug 05)
- <Possible follow-ups>
- RE: IIS log Michael Howard (Aug 05)
  - RE: IIS log Richard M. Smith (Aug 05)
- Re: IIS log dotnetter (Aug 05)
- Re: IIS log jamesworld (Aug 05)
- RE: IIS log Nelson, Ernie (Aug 05)