RE: IIS log

If someone is using the GET method in a form that accepts credit card numbers, then the numbers will end up in a log file. Forms that accept personal information should always use the POST method.

Richard

-----Original Message-----

From: Michael Howard [mailto:mikehow@microsoft.com] Sent: Tuesday, August 05, 2003 3:58 PM
To: Justin H Tran; webappsec@securityfocus.com Subject: RE: IIS log

Iis doesn't log credit card numbers!!! There's no concept of CCs in HTTP!!! My guess, and it is a guess, is some other app running on top of iis is logging the data, or the data is in the URI

Can you send me a snippet of the log?replace the CC# with something bopgus

-----Original Message-----

From: Justin H Tran [mailto:justint@us.ibm.com] Sent: Tuesday, August 05, 2003 12:35 PM
To: webappsec@securityfocus.com
Subject: IIS log

I just viewed an IIS log and I noticed that the credit card # is loogged.
I beleive that this is a major flaw to log credit card # is clear text. Does anyone have any advice?

Regards,
Justin Received on Tue Aug 5 18:24:40 2003

Do you need help?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek