You are viewing a plain text version of this content. The canonical link for it is here.
Posted to user@ofbiz.apache.org by Vicky Park <vi...@pexsupply.com> on 2012/03/21 17:25:18 UTC
[Security Concern] Printing out credit card information on the log
file?
Hello folks,
I realized that printing some information on log files could violate PCI
CSS (Payment Card Industry Data Security Standard) depends on how they
configure the system, and how to use the log file. If I understood
correctly, we're printing card holder's information including credit
card number, expiration and CVV num in plain text on log file.
If we don't print out on the log at all on the live site, that would
solve the problem. But if there is a person who wasn't aware of that
fact, he might accidentally violate the PCI DSS compliance. For
example, let's say there is a person who keeps the log to be printed on
the live site. And for some reason, he downloaded log file to his local
computer and kept unsafe location, or passed to someone else to let them
take a look that log file for asking help. Then I believe he is
violating the PCI CSS compliance accidentally.
Code involved 1:
[PayflowPro.java:166]
if (Debug.verboseOn()) Debug.logVerbose("Sending to Verisign: " +
params.toString(), module);
Logs which is being printed:
[Datetime] (TP-Processor70) [ PayflowPro.java:166:INFO ] Sending
to Verisign: PARTNER=verisign&VENDOR=[Company
]&USER=[UserID]&PWD=[Password]&COMMENT1=[Order ID]&PONUM=[PO Order Id]
&CUSTCODE=[Customer's code]&TRXTYPE=[]&TENDER=[]&CVV2=*[CVV
number*]&AMT=[Amount]&ACCT=*[16 digit credit card number in plain
text]*&FIRSTNAME=[Cardholder's firstname]&LASTNAME=[Card holder's last
name]&COMMENT2=[]&EXPDATE=*[expiration date]*&STREET=[Card holder's
address&ZIP=[card holder's zip code]
Code involved 2:
[RequestHandler.java:719]
if (Debug.infoOn()) Debug.logInfo("Sending redirect to: [" + url + "],
sessionId=" + UtilHttp.getSessionId(req), module);
=> I realized that credit card information is being printed from
different file as well (RequestHandler.java:719). I need to check what
service triggers RequestHandler.java:719 and passes credit card
information within url variable. But at least I noticed sometimes that
line in the log file contains credit card information in plain text as well.
PCI DSS involved:
7. Restrict access to cardholder data by business need-to-know
9. Restrict physical access to cardholder data
[Reference]http://en.wikipedia.org/wiki/Payment_Card_Industry_Data_Security_Standard
So, here is my questions & recommendation:
1. As we (at least I) want to keep log for in case, I think it's better
to not to print out credit card information to the log file. What do you
think? Do you think deleting that line is the best option?
2. If you guys think it's better to print out at least some information
to log file for some purpose, I believe it's better to print out in
encrypted format rather than in plain text. Otherwise we can print out
last 4 digit or first 4 digit, not entire number.
3. Do you know what triggers RequestHander to print out credit card
information?
4. Is there any other file you can think of which likely print out
credit card information to log file?
Hope it would be helpful for security improvement for myself and someone
else who may use ofbiz on the live site.
Thanks you for reading.
Re: [Security Concern] Printing out credit card information on the log file?
Posted by "Pierre @GMail" <pi...@gmail.com>.
Please check if a JIRA exist re this issue. If not create one, please.
Regards,
Pierre
Sent from my iPhone
On 21 mrt. 2012, at 17:25, Vicky Park <vi...@pexsupply.com> wrote:
> Hello folks,
>
>
> I realized that printing some information on log files could violate PCI CSS (Payment Card Industry Data Security Standard) depends on how they configure the system, and how to use the log file. If I understood correctly, we're printing card holder's information including credit card number, expiration and CVV num in plain text on log file.
>
> If we don't print out on the log at all on the live site, that would solve the problem. But if there is a person who wasn't aware of that fact, he might accidentally violate the PCI DSS compliance. For example, let's say there is a person who keeps the log to be printed on the live site. And for some reason, he downloaded log file to his local computer and kept unsafe location, or passed to someone else to let them take a look that log file for asking help. Then I believe he is violating the PCI CSS compliance accidentally.
>
>
> Code involved 1:
> [PayflowPro.java:166]
> if (Debug.verboseOn()) Debug.logVerbose("Sending to Verisign: " + params.toString(), module);
>
>
> Logs which is being printed:
> [Datetime] (TP-Processor70) [ PayflowPro.java:166:INFO ] Sending to Verisign: PARTNER=verisign&VENDOR=[Company ]&USER=[UserID]&PWD=[Password]&COMMENT1=[Order ID]&PONUM=[PO Order Id] &CUSTCODE=[Customer's code]&TRXTYPE=[]&TENDER=[]&CVV2=*[CVV number*]&AMT=[Amount]&ACCT=*[16 digit credit card number in plain text]*&FIRSTNAME=[Cardholder's firstname]&LASTNAME=[Card holder's last name]&COMMENT2=[]&EXPDATE=*[expiration date]*&STREET=[Card holder's address&ZIP=[card holder's zip code]
>
>
> Code involved 2:
> [RequestHandler.java:719]
> if (Debug.infoOn()) Debug.logInfo("Sending redirect to: [" + url + "], sessionId=" + UtilHttp.getSessionId(req), module);
>
> => I realized that credit card information is being printed from different file as well (RequestHandler.java:719). I need to check what service triggers RequestHandler.java:719 and passes credit card information within url variable. But at least I noticed sometimes that line in the log file contains credit card information in plain text as well.
>
>
> PCI DSS involved:
> 7. Restrict access to cardholder data by business need-to-know
> 9. Restrict physical access to cardholder data
> [Reference]http://en.wikipedia.org/wiki/Payment_Card_Industry_Data_Security_Standard
>
>
>
> So, here is my questions & recommendation:
>
> 1. As we (at least I) want to keep log for in case, I think it's better to not to print out credit card information to the log file. What do you think? Do you think deleting that line is the best option?
> 2. If you guys think it's better to print out at least some information to log file for some purpose, I believe it's better to print out in encrypted format rather than in plain text. Otherwise we can print out last 4 digit or first 4 digit, not entire number.
> 3. Do you know what triggers RequestHander to print out credit card information?
> 4. Is there any other file you can think of which likely print out credit card information to log file?
>
>
> Hope it would be helpful for security improvement for myself and someone else who may use ofbiz on the live site.
>
>
> Thanks you for reading.
>
Re: [Security Concern] Printing out credit card information on the log file?
Posted by Jacques Le Roux <ja...@les7arts.com>.
Hi Paul,
As suggested in my answer to Vicky, I have commented out the line [PayflowPro.java:166]
in trunk and ALL releases (including R4.0)
Please Vicky could you please confirm that this change is enough for the other points you raised?
Trunk test is enough because all the automatic backports worked well, which is not surprising because this is really an old
adaptation to an external payment provider.
Jacques
Paul Piper wrote:
> I also agree that this is probably a security issue and could mean that you
> are not getting the proper validation by credit card companies. You need to
> be accredited by credit card companies with PCI CSS to even be allowed to
> support creditcard transaction directly (unless you use an external iPayment
> service for this) and there you cannot store this sort of data in the logs.
> Only xxxx-ed out credit card information should be used.
>
> ---
> Paul Piper
> Geschäftsführer
>
>
> Web: http://www.ilscipio.com
> Tel: (+49) 611-94589441
> Mobil: (+49) 176-63283066
> Fax: (+49) 611-94589449
> eMail: pp@ilscipio.com
>
>
> ilscipio GmbH
> Am Drosselschlag 7
> D-35452 Heuchelheim
> Germany
>
> -----Ursprüngliche Nachricht-----
> Von: Jacques Le Roux [mailto:jacques.le.roux@les7arts.com]
> Gesendet: Mittwoch, 21. März 2012 19:47
> An: user@ofbiz.apache.org
> Betreff: Re: [Security Concern] Printing out credit card information on the
> log file?
>
> From: "Vicky Park" <vi...@pexsupply.com>
>> Hello folks,
>>
>>
>> I realized that printing some information on log files could violate
>> PCI CSS (Payment Card Industry Data Security Standard) depends on how
>> they configure the system, and how to use the log file. If I
>> understood correctly, we're printing card holder's information
>> including credit card number, expiration and CVV num in plain text on log file.
>>
>> If we don't print out on the log at all on the live site, that would
>> solve the problem. But if there is a person who wasn't aware of that
>> fact, he might accidentally violate the PCI DSS compliance. For
>> example, let's say there is a person who keeps the log to be printed
>> on the live site. And for some reason, he downloaded log file to his
>> local computer and kept unsafe location, or passed to someone else to
>> let them take a look that log file for asking help. Then I believe he
>> is violating the PCI CSS compliance accidentally.
>>
>>
>> Code involved 1:
>> [PayflowPro.java:166]
>> if (Debug.verboseOn()) Debug.logVerbose("Sending to Verisign: " +
>> params.toString(), module);
>>
>>
>> Logs which is being printed:
>> [Datetime] (TP-Processor70) [ PayflowPro.java:166:INFO ] Sending
>> to Verisign: PARTNER=verisign&VENDOR=[Company
>> ]&USER=[UserID]&PWD=[Password]&COMMENT1=[Order ID]&PONUM=[PO Order Id]
>> &CUSTCODE=[Customer's code]&TRXTYPE=[]&TENDER=[]&CVV2=*[CVV
>> number*]&AMT=[Amount]&ACCT=*[16 digit credit card number in plain
>> text]*&FIRSTNAME=[Cardholder's firstname]&LASTNAME=[Card holder's last
>> name]&COMMENT2=[]&EXPDATE=*[expiration date]*&STREET=[Card holder's
>> address&ZIP=[card holder's zip code]
>>
>>
>> Code involved 2:
>> [RequestHandler.java:719]
>> if (Debug.infoOn()) Debug.logInfo("Sending redirect to: [" + url + "],
>> sessionId=" + UtilHttp.getSessionId(req), module);
>>
>> => I realized that credit card information is being printed from
>> different file as well (RequestHandler.java:719). I need to check what
>> service triggers RequestHandler.java:719 and passes credit card
>> information within url variable. But at least I noticed sometimes that
>> line in the log file contains credit card information in plain text as well.
>>
>>
>> PCI DSS involved:
>> 7. Restrict access to cardholder data by business need-to-know 9.
>> Restrict physical access to cardholder data
>> [Reference]http://en.wikipedia.org/wiki/Payment_Card_Industry_Data_Sec
>> urity_Standard
>>
>>
>>
>> So, here is my questions & recommendation:
>>
>> 1. As we (at least I) want to keep log for in case, I think it's
>> better to not to print out credit card information to the log file.
>> What do you think? Do you think deleting that line is the best option?
>
> It's very unlikely that anybody would run a production server with log set
> at verbose level at any moment for all classes/packages.
> But we could easily comment out this line indeed (not deleting it)
>
>> 2. If you guys think it's better to print out at least some
>> information to log file for some purpose, I believe it's better to
>> print out in encrypted format rather than in plain text. Otherwise we
>> can print out last 4 digit or first 4 digit, not entire number.
>
> Not needed if commentout, then people would be really aware that they are
> sending it to log
>
>> 3. Do you know what triggers RequestHander to print out credit card
>> information?
>
> I expect commenting line in PayflowPro.java would be enough
>
>> 4. Is there any other file you can think of which likely print out
>> credit card information to log file?
>
> I don't think so. PayflowPro is not used OOTB in OFBiz IIRW
>
> Jacques
>
>>
>> Hope it would be helpful for security improvement for myself and
>> someone else who may use ofbiz on the live site.
>>
>>
>> Thanks you for reading.
AW: [Security Concern] Printing out credit card information on the log file?
Posted by Paul Piper <pp...@ilscipio.com>.
I also agree that this is probably a security issue and could mean that you
are not getting the proper validation by credit card companies. You need to
be accredited by credit card companies with PCI CSS to even be allowed to
support creditcard transaction directly (unless you use an external iPayment
service for this) and there you cannot store this sort of data in the logs.
Only xxxx-ed out credit card information should be used.
---
Paul Piper
Geschäftsführer
Web: http://www.ilscipio.com
Tel: (+49) 611-94589441
Mobil: (+49) 176-63283066
Fax: (+49) 611-94589449
eMail: pp@ilscipio.com
ilscipio GmbH
Am Drosselschlag 7
D-35452 Heuchelheim
Germany
-----Ursprüngliche Nachricht-----
Von: Jacques Le Roux [mailto:jacques.le.roux@les7arts.com]
Gesendet: Mittwoch, 21. März 2012 19:47
An: user@ofbiz.apache.org
Betreff: Re: [Security Concern] Printing out credit card information on the
log file?
From: "Vicky Park" <vi...@pexsupply.com>
> Hello folks,
>
>
> I realized that printing some information on log files could violate
> PCI CSS (Payment Card Industry Data Security Standard) depends on how
> they configure the system, and how to use the log file. If I
> understood correctly, we're printing card holder's information
> including credit card number, expiration and CVV num in plain text on log
file.
>
> If we don't print out on the log at all on the live site, that would
> solve the problem. But if there is a person who wasn't aware of that
> fact, he might accidentally violate the PCI DSS compliance. For
> example, let's say there is a person who keeps the log to be printed
> on the live site. And for some reason, he downloaded log file to his
> local computer and kept unsafe location, or passed to someone else to
> let them take a look that log file for asking help. Then I believe he
> is violating the PCI CSS compliance accidentally.
>
>
> Code involved 1:
> [PayflowPro.java:166]
> if (Debug.verboseOn()) Debug.logVerbose("Sending to Verisign: " +
> params.toString(), module);
>
>
> Logs which is being printed:
> [Datetime] (TP-Processor70) [ PayflowPro.java:166:INFO ] Sending
> to Verisign: PARTNER=verisign&VENDOR=[Company
> ]&USER=[UserID]&PWD=[Password]&COMMENT1=[Order ID]&PONUM=[PO Order Id]
> &CUSTCODE=[Customer's code]&TRXTYPE=[]&TENDER=[]&CVV2=*[CVV
> number*]&AMT=[Amount]&ACCT=*[16 digit credit card number in plain
> text]*&FIRSTNAME=[Cardholder's firstname]&LASTNAME=[Card holder's last
> name]&COMMENT2=[]&EXPDATE=*[expiration date]*&STREET=[Card holder's
> address&ZIP=[card holder's zip code]
>
>
> Code involved 2:
> [RequestHandler.java:719]
> if (Debug.infoOn()) Debug.logInfo("Sending redirect to: [" + url + "],
> sessionId=" + UtilHttp.getSessionId(req), module);
>
> => I realized that credit card information is being printed from
> different file as well (RequestHandler.java:719). I need to check what
> service triggers RequestHandler.java:719 and passes credit card
> information within url variable. But at least I noticed sometimes that
> line in the log file contains credit card information in plain text as
well.
>
>
> PCI DSS involved:
> 7. Restrict access to cardholder data by business need-to-know 9.
> Restrict physical access to cardholder data
> [Reference]http://en.wikipedia.org/wiki/Payment_Card_Industry_Data_Sec
> urity_Standard
>
>
>
> So, here is my questions & recommendation:
>
> 1. As we (at least I) want to keep log for in case, I think it's
> better to not to print out credit card information to the log file.
> What do you think? Do you think deleting that line is the best option?
It's very unlikely that anybody would run a production server with log set
at verbose level at any moment for all classes/packages.
But we could easily comment out this line indeed (not deleting it)
> 2. If you guys think it's better to print out at least some
> information to log file for some purpose, I believe it's better to
> print out in encrypted format rather than in plain text. Otherwise we
> can print out last 4 digit or first 4 digit, not entire number.
Not needed if commentout, then people would be really aware that they are
sending it to log
> 3. Do you know what triggers RequestHander to print out credit card
> information?
I expect commenting line in PayflowPro.java would be enough
> 4. Is there any other file you can think of which likely print out
> credit card information to log file?
I don't think so. PayflowPro is not used OOTB in OFBiz IIRW
Jacques
>
> Hope it would be helpful for security improvement for myself and
> someone else who may use ofbiz on the live site.
>
>
> Thanks you for reading.
>
>
Re: [Security Concern] Printing out credit card information on the log file?
Posted by Jacques Le Roux <ja...@les7arts.com>.
From: "Vicky Park" <vi...@pexsupply.com>
> Hello folks,
>
>
> I realized that printing some information on log files could violate PCI
> CSS (Payment Card Industry Data Security Standard) depends on how they
> configure the system, and how to use the log file. If I understood
> correctly, we're printing card holder's information including credit
> card number, expiration and CVV num in plain text on log file.
>
> If we don't print out on the log at all on the live site, that would
> solve the problem. But if there is a person who wasn't aware of that
> fact, he might accidentally violate the PCI DSS compliance. For
> example, let's say there is a person who keeps the log to be printed on
> the live site. And for some reason, he downloaded log file to his local
> computer and kept unsafe location, or passed to someone else to let them
> take a look that log file for asking help. Then I believe he is
> violating the PCI CSS compliance accidentally.
>
>
> Code involved 1:
> [PayflowPro.java:166]
> if (Debug.verboseOn()) Debug.logVerbose("Sending to Verisign: " +
> params.toString(), module);
>
>
> Logs which is being printed:
> [Datetime] (TP-Processor70) [ PayflowPro.java:166:INFO ] Sending
> to Verisign: PARTNER=verisign&VENDOR=[Company
> ]&USER=[UserID]&PWD=[Password]&COMMENT1=[Order ID]&PONUM=[PO Order Id]
> &CUSTCODE=[Customer's code]&TRXTYPE=[]&TENDER=[]&CVV2=*[CVV
> number*]&AMT=[Amount]&ACCT=*[16 digit credit card number in plain
> text]*&FIRSTNAME=[Cardholder's firstname]&LASTNAME=[Card holder's last
> name]&COMMENT2=[]&EXPDATE=*[expiration date]*&STREET=[Card holder's
> address&ZIP=[card holder's zip code]
>
>
> Code involved 2:
> [RequestHandler.java:719]
> if (Debug.infoOn()) Debug.logInfo("Sending redirect to: [" + url + "],
> sessionId=" + UtilHttp.getSessionId(req), module);
>
> => I realized that credit card information is being printed from
> different file as well (RequestHandler.java:719). I need to check what
> service triggers RequestHandler.java:719 and passes credit card
> information within url variable. But at least I noticed sometimes that
> line in the log file contains credit card information in plain text as well.
>
>
> PCI DSS involved:
> 7. Restrict access to cardholder data by business need-to-know
> 9. Restrict physical access to cardholder data
> [Reference]http://en.wikipedia.org/wiki/Payment_Card_Industry_Data_Security_Standard
>
>
>
> So, here is my questions & recommendation:
>
> 1. As we (at least I) want to keep log for in case, I think it's better
> to not to print out credit card information to the log file. What do you
> think? Do you think deleting that line is the best option?
It's very unlikely that anybody would run a production server with log set at verbose level at any moment for all classes/packages.
But we could easily comment out this line indeed (not deleting it)
> 2. If you guys think it's better to print out at least some information
> to log file for some purpose, I believe it's better to print out in
> encrypted format rather than in plain text. Otherwise we can print out
> last 4 digit or first 4 digit, not entire number.
Not needed if commentout, then people would be really aware that they are sending it to log
> 3. Do you know what triggers RequestHander to print out credit card
> information?
I expect commenting line in PayflowPro.java would be enough
> 4. Is there any other file you can think of which likely print out
> credit card information to log file?
I don't think so. PayflowPro is not used OOTB in OFBiz IIRW
Jacques
>
> Hope it would be helpful for security improvement for myself and someone
> else who may use ofbiz on the live site.
>
>
> Thanks you for reading.
>
>