Major security flaw in Cybercash 2.1.2

Anonymous (anon@ANON.EFGA.ORG)
Fri, 07 Nov 1997 22:54:16 -0500

Messages sorted by: [ date ][ thread ][ subject ][ author ]
Next message: George Imburgia: "Re: Intel Pentium Bug"
Previous message: Robert Watson: "Re: Major security-hole in kerberos rsh, rcp and rlogin."
Next in thread: Tim Scanlon: "Re: Major security flaw in Cybercash 2.1.2"

CyberCash v. 2.1.2 has a major security flaw that causes all credit
card information processed by the server to be logged in a file with
world-readable permissions. This security flaw exists in the default
CyberCash installation and configuration.

The flaw is a result of not being able to turn off debugging. Setting
the "DEBUG" flag to "0" in the configuration files simply has no
effect on the operation of the server.

In CyberCash's server, when the "DEBUG" flag is on, the contents of
all credit card transactions are written to a log file (named
"Debug.log" by default).

The easiest workaround I've found is to simply delete the existing
Debug.log file. In my experience with the Solaris release, the
CyberCash software does not create this file at start time when the
DEBUG flag is set to 0.

The inability to turn off debugging is noted on CyberCash's web site
under "Known Limitations". The fact that credit card numbers are
stored in the clear, in a world readable file, is not.

--jet

Next message: George Imburgia: "Re: Intel Pentium Bug"
Previous message: Robert Watson: "Re: Major security-hole in kerberos rsh, rcp and rlogin."
Next in thread: Tim Scanlon: "Re: Major security flaw in Cybercash 2.1.2"