Forum: Ruby on Rails Possible Rails Security Issue?

Announcement (2017-05-07): www.ruby-forum.com is now read-only since I unfortunately do not have the time to support and maintain the forum any more. Please see rubyonrails.org/community and ruby-lang.org/en/community for other Rails- und Ruby-related community platforms.
Kevin S. (Guest)
on 2006-02-07 19:57
(Received via mailing list)
I have an e-commerce site and users check out with a form.  The
results of that form are sent to a "confirm your order" page via
POST.  I take great pains to NEVER store the full credit card number
on my server--just the last 4 digits.  I was very surprised to find
that by default Rails will record POST requests with parameters in
the production.log.  And those parameters include credit card numbers!

I know that log levels can be customized and adjusted to show only
errors but it seems like the default Rails behavior should be to NOT
log the POST parameters when in production mode.

Is this something that needs to be addressed?  If so, what's the
correct way to escalate it?  At the very least, I think there should
be clear warnings and documentation about this fact.

Kevin S.

------
Here's a sample from my log with the personal information stripped
out by hand:

Processing StoreController#checkout (for xxx.xxx.xxx.xxx at
2006-02-06 09:38:27) [GET]
   Parameters: {"action"=>"checkout", "controller"=>"store"}
Rendering  within layouts/store
Rendering store/checkout
Start rendering component ({:action=>"display_cart"}):

Processing StoreController#confirm_order (for xxx.xxx.xxx.xxx at
2006-02-06 09:39:32) [POST]
   Parameters: {"commit"=>" Continue ", "action"=>"confirm_order",
"payment"=>{"card_type"=>"M", "card_number"=>"0000000000000000",
"pay_type"=>"cc", "card_expiration(1i)"=>"2007", "card_expiration
(2i)"=>"7"}, "controller"=>"store", "customer"=>{"company"=>"Xxxxx",
"city"=>"Xxxxx", "zip"=>"00000", "country"=>"US", "suite"=>"",
"phone"=>"000-000-0000", "first_name"=>"Xxxxx", "address"=>"00
Xxxxxxx", "last_name"=>"Xxxxx", "email"=>"removed_email_address@domain.invalid",
"state"=>"XX"}}
Rendering  within layouts/store
Rendering store/confirm_order
Start rendering component ({:action=>"display_cart"}):
Ben R. (Guest)
on 2006-02-07 20:06
(Received via mailing list)
I have noticed this to with users logging in.  The plain password is
available via the log.  I guess one argument could be that the logs on
on your server, and should only be available to authorized personnel.

~ Ben

On 2/7/06, Kevin S. <removed_email_address@domain.invalid> wrote:
>
> Processing StoreController#checkout (for xxx.xxx.xxx.xxx at
> "pay_type"=>"cc", "card_expiration(1i)"=>"2007", "card_expiration
> _______________________________________________
> Rails mailing list
> removed_email_address@domain.invalid
> http://lists.rubyonrails.org/mailman/listinfo/rails
>


--
Ben R.
http://www.benr75.com
Ben R. (Guest)
on 2006-02-07 20:09
(Received via mailing list)
~ Quick typing created a rather poor post... Here is a patch ;)

I have noticed this too with users logging in.  The plain password is
available via the log.  I guess one argument could be that the logs are
on your server, and should only be available to authorized personnel.

~ Ben

On 2/7/06, Ben R. <removed_email_address@domain.invalid> wrote:
> > on my server--just the last 4 digits.  I was very surprised to find
> >
> > Rendering store/checkout
> > Xxxxxxx", "last_name"=>"Xxxxx", "email"=>"removed_email_address@domain.invalid",
> >
>
>
> --
> Ben R.
> http://www.benr75.com
>


--
Ben R.
http://www.benr75.com
Bill P. (Guest)
on 2006-02-07 20:47
(Received via mailing list)
Pretty poor argument given that the regulations around credit card
security are pretty specific about what you can and cannot do with CC
numbers. Storing them anywhere in a non-encrypted format is a big no-
no. I am guessing Kevin does not want to store them to avoid having
to deal with PCI regulations that would require additional security
process to be in place.

This sounds like something that should be clearly spelled out in the
docs somewhere.


On Feb 7, 2006, at 10:06 AM, Ben R. wrote:

>> I have noticed this to with users logging in.  The plain password is
>>> on my server--just the last 4 digits.  I was very surprised to find
>>> be clear warnings and documentation about this fact.
>>> Rendering  within layouts/store
>>> "phone"=>"000-000-0000", "first_name"=>"Xxxxx", "address"=>"00
>>> http://lists.rubyonrails.org/mailman/listinfo/rails
> Ben R.
> http://www.benr75.com
> _______________________________________________
> Rails mailing list
> removed_email_address@domain.invalid
> http://lists.rubyonrails.org/mailman/listinfo/rails
>



- Bill
Joe M. (Guest)
on 2006-02-07 21:13
(Received via mailing list)
I personally do not feel that this is a Rails security issue - But I do
HIGHLY recommend that it is pointed out very, very plainly that by
default,
all POSTS are sent to the server logs...it should be up to the developer
to
make adjustments as needed for the project.

One persons "no-no" is someone else's "yes, please" - this is why I
think
Rails is just fine, but again, it should be set with a big warning in
the
docs on what Rails logs.


Joseph Youngquist
Estelle W. (Guest)
on 2006-02-07 21:22
(Received via mailing list)
Is there any way of automatically stopping all password fields from
being added to the logs?

Estelle.
Bill P. (Guest)
on 2006-02-07 22:16
(Received via mailing list)
I did not mean to imply it was a rails issue per-se, just that it
should be clearly spelled out somewhere. Logging of the POST data is
not something that is standard IMO and therefore should be brought to
the attention of security conscious developers.

My argument would be to not have it turned on by default, the default
level would be WARN, but then again I have a large collection of hats
in various metals. :-)

On Feb 7, 2006, at 11:11 AM, Joe Y. wrote:

> Joseph Youngquist
>
> > available via the log.  I guess one argument could be that the logs
> >> logs on
> >>> on my server--just the last 4 digits.  I was very surprised to
> >>> Is this something that needs to be addressed?  If so, what's the
> >>> Processing StoreController#checkout (for xxx.xxx.xxx.xxx at
> >>> "pay_type"=>"cc", "card_expiration(1i)"=>"2007", "card_expiration
> >>>
> >>
>
> Rails mailing list
> removed_email_address@domain.invalid
> http://lists.rubyonrails.org/mailman/listinfo/rails



- Bill
Jeremy E. (Guest)
on 2006-02-08 08:12
(Received via mailing list)
On 2/7/06, Estelle W. <removed_email_address@domain.invalid> wrote:
> Is there any way of automatically stopping all password fields from
> being added to the logs?

There's always the Filter Logged Params plugin:
http://wiki.rubyonrails.org/rails/pages/Filter+Log...
This topic is locked and can not be replied to.