Re: Cannot open log for source {0} -- again

From: Craig Wagner (craig_d_wagner_at_hotmail.com)
Date: 04/07/05

  • Next message: Joseph MCAD: "Re: Cannot open log for source {0} -- again" 
    Date: Thu, 07 Apr 2005 07:19:36 -0700

    "Nicole Calinoiu" <calinoiu REMOVETHIS AT gmail DOT com> wrote:

    >Sure, but web applications are a poor candidate for writing to the
    >application log for security reasons. Even if you're only logging
    >exceptions, a malicious user of the web application could cause your event
    >log to either fill or dump (clearing old entries to make place for new ones)
    >simply by forcing exceptions, thereby exposing you to either a denial of
    >service attack (via log filling) or hiding of clues to other activities (via
    >log dumping). For this reason, you would be better off writing to a custom
    >log rather than the default application log. At least with this approach,
    >abuse of your web application won't affect the logging activities of local
    >applications. You should also select the fill/dump behaviour of your custom
    >log carefully since you'll still be subject to the DOS vs overwrite issue,
    >even if it's restricted to only the single application.

    So when you said that writing to the event log from a web app wasn't a good
    idea, what you really meant was writing to the default application event log
    wasn't a good idea.

    Now what if there are no other apps running on the server? This is the only
    application.

    >That's fine if only your application (and/or others that also require the
    >same logging permissions) are run under this account. However, applications
    >that cannot be trusted to write to the log should not run under an account
    >with logging permissions.

    Agreed. But every application running on the server is an in-house developed
    application, so they can all be trusted to write to the log and, in fact, we
    want them logging a subset of their activities and unhandled exceptions should
    they occur for troubleshooting and debugging purposes.

    We could mitigate some of the potential for abuse by having each application
    (assuming there was more than one at some point) write to a different custom
    event log I suppose. But it seems to me the bottom line from this thread is that
    we just keep moving or mitigating the potential for trouble.

    And I purposely used the term "potential" twice, because we're a very targeted
    site used by our clients only. Yes, someone could stumble on it and try to be a
    *** and bring it down, but we're hardly worth the effort. We've had no
    incidents in the past five years. Sure, ignorance is no defense, and it isn't
    the only thing we do to take steps to protect ourselves, but we also need to
    weigh potential against complexity. 

    -- 
Craig Wagner, craig.wagner(at)comcast.net
Portland, OR
"Don't ban high-performance vehicles, ban low-performance drivers!"
  • Next message: Joseph MCAD: "Re: Cannot open log for source {0} -- again"