Uploaded image for project: 'Log4net'
  1. Log4net
  2. LOG4NET-282

Database Risk and PCI Compliance with ado.net appender

    Details

      Description

      Per our PCI/Risk exposure reviewer, the ado.net appender in log4net is a risk. Essentially, if somebody can gain access to the config file, they can change the config file to run any query via an error.

      Obviously, there's a bigger concern if somebody can change a config file.

      The reviewer felt that with log4net being a popular tool this was a high risk cause of how easy it would be for an attacker to change it.
      Other logging tools make a call to a hard-coded stored procedure to log to a database.

      If the ado.net appender could be changed to call a fixed stored procedure and perhaps pass parameters with some fixed and maybe a concatenated string for a variable number of parameters, the risk would probably be removed. The SP would be responsible with working with the concatenated string. A formatter may be the way to go to make the concatenated string.

        Attachments

          Activity

            People

            • Assignee:
              Unassigned
              Reporter:
              timschwallie Tim Schwallie
            • Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

              Dates

              • Created:
                Updated: