--- begin forwarded text From: Bob Antia <antia@leftbank.com> Subject: Major security flaw in Cybercash 2.1.2 (fwd) To: mjbauer@leftbank.com (Michael Bauer), rah@shipwright.com Date: Sat, 8 Nov 1997 10:04:14 -0500 (EST) MIME-Version: 1.0 Approved-By: aleph1@UNDERGROUND.ORG Message-ID: <f58bccfc52aba91d0973f9bf33160ddd@anon.efga.org> Date: Fri, 7 Nov 1997 22:54:16 -0500 Reply-To: Anonymous <anon@ANON.EFGA.ORG> Sender: Bugtraq List <BUGTRAQ@NETSPACE.ORG> Comments: This message was remailed by a FREE automated remailing service. For additional information on this service, send a message with the subject "remailer-help" to remailer@anon.efga.org. The body of the message will be discarded. To report abuse, contact the operator at admin@anon.efga.org. Headers below this point were inserted by the original sender. From: Anonymous <anon@ANON.EFGA.ORG> Subject: Major security flaw in Cybercash 2.1.2 To: BUGTRAQ@NETSPACE.ORG CyberCash v. 2.1.2 has a major security flaw that causes all credit card information processed by the server to be logged in a file with world-readable permissions. This security flaw exists in the default CyberCash installation and configuration. The flaw is a result of not being able to turn off debugging. Setting the "DEBUG" flag to "0" in the configuration files simply has no effect on the operation of the server. In CyberCash's server, when the "DEBUG" flag is on, the contents of all credit card transactions are written to a log file (named "Debug.log" by default). The easiest workaround I've found is to simply delete the existing Debug.log file. In my experience with the Solaris release, the CyberCash software does not create this file at start time when the DEBUG flag is set to 0. The inability to turn off debugging is noted on CyberCash's web site under "Known Limitations". The fact that credit card numbers are stored in the clear, in a world readable file, is not. --jet -b Bob Antia antia@leftbank.com The Left Bank Operation, Inc. http://www.leftbank.com TCP/IP Internetworking LAN/WAN/NT/UNIX Admin PGP fingerprint 9B 70 FF 2D 03 CC 5F C1 3E 29 6E D4 16 79 44 A8 --- end forwarded text ----------------- Robert Hettinga (rah@shipwright.com), Philodox e$, 44 Farquhar Street, Boston, MA 02131 USA "... however it may deserve respect for its usefulness and antiquity, [predicting the end of the world] has not been found agreeable to experience." -- Edward Gibbon, 'Decline and Fall of the Roman Empire' The e$ Home Page: http://www.shipwright.com/ Ask me about FC98 in Anguilla!: <http://www.fc98.ai/>