Forum: Ruby on Rails Possible Rails Security Issue?

Announcement (2017-05-07): www.ruby-forum.com is now read-only since I unfortunately do not have the time to support and maintain the forum any more. Please see rubyonrails.org/community and ruby-lang.org/en/community for other Rails- und Ruby-related community platforms.
67b18e0e6de269790dee456a33ea1d31?d=identicon&s=25 Kevin Skoglund (Guest)
on 2006-02-07 18:57
(Received via mailing list)
I have an e-commerce site and users check out with a form.  The
results of that form are sent to a "confirm your order" page via
POST.  I take great pains to NEVER store the full credit card number
on my server--just the last 4 digits.  I was very surprised to find
that by default Rails will record POST requests with parameters in
the production.log.  And those parameters include credit card numbers!

I know that log levels can be customized and adjusted to show only
errors but it seems like the default Rails behavior should be to NOT
log the POST parameters when in production mode.

Is this something that needs to be addressed?  If so, what's the
correct way to escalate it?  At the very least, I think there should
be clear warnings and documentation about this fact.

Kevin Skoglund

------
Here's a sample from my log with the personal information stripped
out by hand:

Processing StoreController#checkout (for xxx.xxx.xxx.xxx at
2006-02-06 09:38:27) [GET]
   Parameters: {"action"=>"checkout", "controller"=>"store"}
Rendering  within layouts/store
Rendering store/checkout
Start rendering component ({:action=>"display_cart"}):

Processing StoreController#confirm_order (for xxx.xxx.xxx.xxx at
2006-02-06 09:39:32) [POST]
   Parameters: {"commit"=>" Continue ", "action"=>"confirm_order",
"payment"=>{"card_type"=>"M", "card_number"=>"0000000000000000",
"pay_type"=>"cc", "card_expiration(1i)"=>"2007", "card_expiration
(2i)"=>"7"}, "controller"=>"store", "customer"=>{"company"=>"Xxxxx",
"city"=>"Xxxxx", "zip"=>"00000", "country"=>"US", "suite"=>"",
"phone"=>"000-000-0000", "first_name"=>"Xxxxx", "address"=>"00
Xxxxxxx", "last_name"=>"Xxxxx", "email"=>"xxx@xxxxxxx.com",
"state"=>"XX"}}
Rendering  within layouts/store
Rendering store/confirm_order
Start rendering component ({:action=>"display_cart"}):
D90ef6808433e63203e15a5c2dadb0bb?d=identicon&s=25 Ben Reubenstein (Guest)
on 2006-02-07 19:06
(Received via mailing list)
I have noticed this to with users logging in.  The plain password is
available via the log.  I guess one argument could be that the logs on
on your server, and should only be available to authorized personnel.

~ Ben

On 2/7/06, Kevin Skoglund <kevin@pixelandpress.com> wrote:
>
> Processing StoreController#checkout (for xxx.xxx.xxx.xxx at
> "pay_type"=>"cc", "card_expiration(1i)"=>"2007", "card_expiration
> _______________________________________________
> Rails mailing list
> Rails@lists.rubyonrails.org
> http://lists.rubyonrails.org/mailman/listinfo/rails
>


--
Ben Reubenstein
http://www.benr75.com
D90ef6808433e63203e15a5c2dadb0bb?d=identicon&s=25 Ben Reubenstein (Guest)
on 2006-02-07 19:09
(Received via mailing list)
~ Quick typing created a rather poor post... Here is a patch ;)

I have noticed this too with users logging in.  The plain password is
available via the log.  I guess one argument could be that the logs are
on your server, and should only be available to authorized personnel.

~ Ben

On 2/7/06, Ben Reubenstein <benr@x-cr.com> wrote:
> > on my server--just the last 4 digits.  I was very surprised to find
> >
> > Rendering store/checkout
> > Xxxxxxx", "last_name"=>"Xxxxx", "email"=>"xxx@xxxxxxx.com",
> >
>
>
> --
> Ben Reubenstein
> http://www.benr75.com
>


--
Ben Reubenstein
http://www.benr75.com
C204883ecbdf04c9a5bc9b024f5ed575?d=identicon&s=25 Bill Pennington (Guest)
on 2006-02-07 19:47
(Received via mailing list)
Pretty poor argument given that the regulations around credit card
security are pretty specific about what you can and cannot do with CC
numbers. Storing them anywhere in a non-encrypted format is a big no-
no. I am guessing Kevin does not want to store them to avoid having
to deal with PCI regulations that would require additional security
process to be in place.

This sounds like something that should be clearly spelled out in the
docs somewhere.


On Feb 7, 2006, at 10:06 AM, Ben Reubenstein wrote:

>> I have noticed this to with users logging in.  The plain password is
>>> on my server--just the last 4 digits.  I was very surprised to find
>>> be clear warnings and documentation about this fact.
>>> Rendering  within layouts/store
>>> "phone"=>"000-000-0000", "first_name"=>"Xxxxx", "address"=>"00
>>> http://lists.rubyonrails.org/mailman/listinfo/rails
> Ben Reubenstein
> http://www.benr75.com
> _______________________________________________
> Rails mailing list
> Rails@lists.rubyonrails.org
> http://lists.rubyonrails.org/mailman/listinfo/rails
>



- Bill
4d202d20a766a00eab9ab42825eba9ba?d=identicon&s=25 Joe Manfoo (joemanfoo)
on 2006-02-07 20:13
(Received via mailing list)
I personally do not feel that this is a Rails security issue - But I do
HIGHLY recommend that it is pointed out very, very plainly that by
default,
all POSTS are sent to the server logs...it should be up to the developer
to
make adjustments as needed for the project.

One persons "no-no" is someone else's "yes, please" - this is why I
think
Rails is just fine, but again, it should be set with a big warning in
the
docs on what Rails logs.


Joseph Youngquist
0e5e8a4176061ad36e3e31311e28e309?d=identicon&s=25 Estelle Winterflood (Guest)
on 2006-02-07 20:22
(Received via mailing list)
Is there any way of automatically stopping all password fields from
being added to the logs?

Estelle.
C204883ecbdf04c9a5bc9b024f5ed575?d=identicon&s=25 Bill Pennington (Guest)
on 2006-02-07 21:16
(Received via mailing list)
I did not mean to imply it was a rails issue per-se, just that it
should be clearly spelled out somewhere. Logging of the POST data is
not something that is standard IMO and therefore should be brought to
the attention of security conscious developers.

My argument would be to not have it turned on by default, the default
level would be WARN, but then again I have a large collection of hats
in various metals. :-)

On Feb 7, 2006, at 11:11 AM, Joe Youngquist wrote:

> Joseph Youngquist
>
> > available via the log.  I guess one argument could be that the logs
> >> logs on
> >>> on my server--just the last 4 digits.  I was very surprised to
> >>> Is this something that needs to be addressed?  If so, what's the
> >>> Processing StoreController#checkout (for xxx.xxx.xxx.xxx at
> >>> "pay_type"=>"cc", "card_expiration(1i)"=>"2007", "card_expiration
> >>>
> >>
>
> Rails mailing list
> Rails@lists.rubyonrails.org
> http://lists.rubyonrails.org/mailman/listinfo/rails



- Bill
58c44a4a506d878f9a112f1d7b7cb87e?d=identicon&s=25 Jeremy Evans (Guest)
on 2006-02-08 07:12
(Received via mailing list)
On 2/7/06, Estelle Winterflood <estelle.winterflood@gmail.com> wrote:
> Is there any way of automatically stopping all password fields from
> being added to the logs?

There's always the Filter Logged Params plugin:
http://wiki.rubyonrails.org/rails/pages/Filter+Log...
This topic is locked and can not be replied to.