Possible Rails Security Issue?


#1

I have an e-commerce site and users check out with a form. The
results of that form are sent to a “confirm your order” page via
POST. I take great pains to NEVER store the full credit card number
on my server–just the last 4 digits. I was very surprised to find
that by default Rails will record POST requests with parameters in
the production.log. And those parameters include credit card numbers!

I know that log levels can be customized and adjusted to show only
errors but it seems like the default Rails behavior should be to NOT
log the POST parameters when in production mode.

Is this something that needs to be addressed? If so, what’s the
correct way to escalate it? At the very least, I think there should
be clear warnings and documentation about this fact.

Kevin S.


Here’s a sample from my log with the personal information stripped
out by hand:

Processing StoreController#checkout (for xxx.xxx.xxx.xxx at
2006-02-06 09:38:27) [GET]
Parameters: {“action”=>“checkout”, “controller”=>“store”}
Rendering within layouts/store
Rendering store/checkout
Start rendering component ({:action=>“display_cart”}):

Processing StoreController#confirm_order (for xxx.xxx.xxx.xxx at
2006-02-06 09:39:32) [POST]
Parameters: {“commit”=>" Continue “, “action”=>“confirm_order”,
“payment”=>{“card_type”=>“M”, “card_number”=>“0000000000000000”,
“pay_type”=>“cc”, “card_expiration(1i)”=>“2007”, “card_expiration
(2i)”=>“7”}, “controller”=>“store”, “customer”=>{“company”=>“Xxxxx”,
“city”=>“Xxxxx”, “zip”=>“00000”, “country”=>“US”, “suite”=>”",
“phone”=>“000-000-0000”, “first_name”=>“Xxxxx”, “address”=>“00
Xxxxxxx”, “last_name”=>“Xxxxx”, “email”=>“removed_email_address@domain.invalid”,
“state”=>“XX”}}
Rendering within layouts/store
Rendering store/confirm_order
Start rendering component ({:action=>“display_cart”}):


#2

I have noticed this to with users logging in. The plain password is
available via the log. I guess one argument could be that the logs on
on your server, and should only be available to authorized personnel.

~ Ben

On 2/7/06, Kevin S. removed_email_address@domain.invalid wrote:

Processing StoreController#checkout (for xxx.xxx.xxx.xxx at
“pay_type”=>“cc”, “card_expiration(1i)”=>“2007”, "card_expiration


Rails mailing list
removed_email_address@domain.invalid
http://lists.rubyonrails.org/mailman/listinfo/rails


Ben R.
http://www.benr75.com


#3

~ Quick typing created a rather poor post… Here is a patch :wink:

I have noticed this too with users logging in. The plain password is
available via the log. I guess one argument could be that the logs are
on your server, and should only be available to authorized personnel.

~ Ben

On 2/7/06, Ben R. removed_email_address@domain.invalid wrote:

on my server–just the last 4 digits. I was very surprised to find

Rendering store/checkout
Xxxxxxx", “last_name”=>“Xxxxx”, “email”=>“removed_email_address@domain.invalid”,


Ben R.
http://www.benr75.com


Ben R.
http://www.benr75.com


#4

I personally do not feel that this is a Rails security issue - But I do
HIGHLY recommend that it is pointed out very, very plainly that by
default,
all POSTS are sent to the server logs…it should be up to the developer
to
make adjustments as needed for the project.

One persons “no-no” is someone else’s “yes, please” - this is why I
think
Rails is just fine, but again, it should be set with a big warning in
the
docs on what Rails logs.

Joseph Youngquist


#5

Pretty poor argument given that the regulations around credit card
security are pretty specific about what you can and cannot do with CC
numbers. Storing them anywhere in a non-encrypted format is a big no-
no. I am guessing Kevin does not want to store them to avoid having
to deal with PCI regulations that would require additional security
process to be in place.

This sounds like something that should be clearly spelled out in the
docs somewhere.

On Feb 7, 2006, at 10:06 AM, Ben R. wrote:

I have noticed this to with users logging in. The plain password is

on my server–just the last 4 digits. I was very surprised to find
be clear warnings and documentation about this fact.
Rendering within layouts/store
“phone”=>“000-000-0000”, “first_name”=>“Xxxxx”, “address”=>"00
http://lists.rubyonrails.org/mailman/listinfo/rails
Ben R.
http://www.benr75.com


Rails mailing list
removed_email_address@domain.invalid
http://lists.rubyonrails.org/mailman/listinfo/rails

  • Bill

#6

Is there any way of automatically stopping all password fields from
being added to the logs?

Estelle.


#7

On 2/7/06, Estelle W. removed_email_address@domain.invalid wrote:

Is there any way of automatically stopping all password fields from
being added to the logs?

There’s always the Filter Logged Params plugin:
http://wiki.rubyonrails.org/rails/pages/Filter+Logged+Params+Plugin


#8

I did not mean to imply it was a rails issue per-se, just that it
should be clearly spelled out somewhere. Logging of the POST data is
not something that is standard IMO and therefore should be brought to
the attention of security conscious developers.

My argument would be to not have it turned on by default, the default
level would be WARN, but then again I have a large collection of hats
in various metals. :slight_smile:

On Feb 7, 2006, at 11:11 AM, Joe Y. wrote:

Joseph Youngquist

available via the log. I guess one argument could be that the logs

logs on

on my server–just the last 4 digits. I was very surprised to
Is this something that needs to be addressed? If so, what’s the
Processing StoreController#checkout (for xxx.xxx.xxx.xxx at
“pay_type”=>“cc”, “card_expiration(1i)”=>“2007”, "card_expiration

Rails mailing list
removed_email_address@domain.invalid
http://lists.rubyonrails.org/mailman/listinfo/rails

  • Bill