Log4net
  1. Log4net
  2. LOG4NET-282

Database Risk and PCI Compliance with ado.net appender

    Details

      Description

      Per our PCI/Risk exposure reviewer, the ado.net appender in log4net is a risk. Essentially, if somebody can gain access to the config file, they can change the config file to run any query via an error.

      Obviously, there's a bigger concern if somebody can change a config file.

      The reviewer felt that with log4net being a popular tool this was a high risk cause of how easy it would be for an attacker to change it.
      Other logging tools make a call to a hard-coded stored procedure to log to a database.

      If the ado.net appender could be changed to call a fixed stored procedure and perhaps pass parameters with some fixed and maybe a concatenated string for a variable number of parameters, the risk would probably be removed. The SP would be responsible with working with the concatenated string. A formatter may be the way to go to make the concatenated string.

        Activity

        Hide
        Jonathan Choy added a comment -

        The mitigation for PCI compliance would seem to be the programmatic configuration of the appender which you need to write to the database, or the creation of a locally maintained appender which meets these security requirements. Recommend "won't-fix".

        Show
        Jonathan Choy added a comment - The mitigation for PCI compliance would seem to be the programmatic configuration of the appender which you need to write to the database, or the creation of a locally maintained appender which meets these security requirements. Recommend "won't-fix".
        Stefan Bodewig made changes -
        Field Original Value New Value
        Fix Version/s 1.2 Maintenance Release [ 12317606 ]
        Tim Schwallie created issue -

          People

          • Assignee:
            Unassigned
            Reporter:
            Tim Schwallie
          • Votes:
            0 Vote for this issue
            Watchers:
            1 Start watching this issue

            Dates

            • Created:
              Updated:

              Development