Database Risk and PCI Compliance with ado.net appender
------------------------------------------------------
Key: LOG4NET-282
URL: https://issues.apache.org/jira/browse/LOG4NET-282
Project: Log4net
Issue Type: Improvement
Components: Appenders
Affects Versions: 1.2.10, 1.2.9
Reporter: Tim Schwallie
Per our PCI/Risk exposure reviewer, the ado.net appender in log4net is a risk.
Essentially, if somebody can gain access to the config file, they can change
the config file to run any query via an error.
Obviously, there's a bigger concern if somebody can change a config file.
The reviewer felt that with log4net being a popular tool this was a high risk
cause of how easy it would be for an attacker to change it.
Other logging tools make a call to a hard-coded stored procedure to log to a
database.
If the ado.net appender could be changed to call a fixed stored procedure and
perhaps pass parameters with some fixed and maybe a concatenated string for a
variable number of parameters, the risk would probably be removed. The SP would
be responsible with working with the concatenated string. A formatter may be
the way to go to make the concatenated string.
--
This message is automatically generated by JIRA.
-
For more information on JIRA, see: http://www.atlassian.com/software/jira
