Major security flaw in Cybercash 2.1.2 (fwd)

Robert Hettinga rah at shipwright.com
Sat Nov 8 07:32:29 PST 1997 



--- begin forwarded text


From: Bob Antia <antia at leftbank.com>
Subject: Major security flaw in Cybercash 2.1.2 (fwd)
To: mjbauer at leftbank.com (Michael Bauer), rah at shipwright.com
Date: Sat, 8 Nov 1997 10:04:14 -0500 (EST)
MIME-Version: 1.0


Approved-By: aleph1 at UNDERGROUND.ORG
Message-ID: <f58bccfc52aba91d0973f9bf33160ddd at anon.efga.org>
Date: 	Fri, 7 Nov 1997 22:54:16 -0500
Reply-To: Anonymous <anon at ANON.EFGA.ORG>
Sender: Bugtraq List <BUGTRAQ at NETSPACE.ORG>
Comments:     This message was remailed by a FREE automated remailing service.
              For additional information on this service,
              send a message with the subject "remailer-help" to
              remailer at anon.efga.org. The body of the message will be
              discarded. To report abuse,
              contact the operator at admin at anon.efga.org.  Headers below this
              point were inserted by the original sender.
From: Anonymous <anon at ANON.EFGA.ORG>
Subject:      Major security flaw in Cybercash 2.1.2
To: BUGTRAQ at NETSPACE.ORG

CyberCash v. 2.1.2 has a major security flaw that causes all credit
card information processed by the server to be logged in a file with
world-readable permissions.  This security flaw exists in the default
CyberCash installation and configuration.

The flaw is a result of not being able to turn off debugging.  Setting
the "DEBUG" flag to "0" in the configuration files simply has no
effect on the operation of the server.

In CyberCash's server, when the "DEBUG" flag is on, the contents of
all credit card transactions are written to a log file (named
"Debug.log" by default).

The easiest workaround I've found is to simply delete the existing
Debug.log file.  In my experience with the Solaris release, the
CyberCash software does not create this file at start time when the
DEBUG flag is set to 0.

The inability to turn off debugging is noted on CyberCash's web site
under "Known Limitations".  The fact that credit card numbers are
stored in the clear, in a world readable file, is not.

--jet

-b

Bob Antia                                           antia at leftbank.com
The Left Bank Operation, Inc.                       http://www.leftbank.com
TCP/IP Internetworking                              LAN/WAN/NT/UNIX Admin
PGP fingerprint          9B 70 FF 2D 03 CC 5F C1  3E 29 6E D4 16 79 44 A8

--- end forwarded text



-----------------
Robert Hettinga (rah at shipwright.com), Philodox
e$, 44 Farquhar Street, Boston, MA 02131 USA
"... however it may deserve respect for its usefulness and antiquity,
[predicting the end of the world] has not been found agreeable to
experience." -- Edward Gibbon, 'Decline and Fall of the Roman Empire'
The e$ Home Page: http://www.shipwright.com/
Ask me about FC98 in Anguilla!: <http://www.fc98.ai/>

More information about the cypherpunks-legacy mailing list