[ https://issues.apache.org/jira/browse/LOG4NET-282?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13830181#comment-13830181 ]
Jonathan Choy commented on LOG4NET-282: --------------------------------------- The mitigation for PCI compliance would seem to be the programmatic configuration of the appender which you need to write to the database, or the creation of a locally maintained appender which meets these security requirements. Recommend "won't-fix". > Database Risk and PCI Compliance with ado.net appender > ------------------------------------------------------ > > Key: LOG4NET-282 > URL: https://issues.apache.org/jira/browse/LOG4NET-282 > Project: Log4net > Issue Type: Improvement > Components: Appenders > Affects Versions: 1.2.9, 1.2.10 > Reporter: Tim Schwallie > Labels: security > Fix For: 1.2 Maintenance Release > > > Per our PCI/Risk exposure reviewer, the ado.net appender in log4net is a > risk. Essentially, if somebody can gain access to the config file, they can > change the config file to run any query via an error. > Obviously, there's a bigger concern if somebody can change a config file. > The reviewer felt that with log4net being a popular tool this was a high risk > cause of how easy it would be for an attacker to change it. > Other logging tools make a call to a hard-coded stored procedure to log to a > database. > If the ado.net appender could be changed to call a fixed stored procedure and > perhaps pass parameters with some fixed and maybe a concatenated string for a > variable number of parameters, the risk would probably be removed. The SP > would be responsible with working with the concatenated string. A formatter > may be the way to go to make the concatenated string. -- This message was sent by Atlassian JIRA (v6.1#6144)