The flaw is a result of not being able to turn off debugging. Setting
the "DEBUG" flag to "0" in the configuration files simply has no
effect on the operation of the server.
In CyberCash's server, when the "DEBUG" flag is on, the contents of
all credit card transactions are written to a log file (named
"Debug.log" by default).
The easiest workaround I've found is to simply delete the existing
Debug.log file. In my experience with the Solaris release, the
CyberCash software does not create this file at start time when the
DEBUG flag is set to 0.
The inability to turn off debugging is noted on CyberCash's web site
under "Known Limitations". The fact that credit card numbers are
stored in the clear, in a world readable file, is not.
--jet