Major security flaw in Cybercash 2.1.2

Anonymous (anon@ANON.EFGA.ORG)
Fri, 07 Nov 1997 22:54:16 -0500

CyberCash v. 2.1.2 has a major security flaw that causes all credit
card information processed by the server to be logged in a file with
world-readable permissions. This security flaw exists in the default
CyberCash installation and configuration.

The flaw is a result of not being able to turn off debugging. Setting
the "DEBUG" flag to "0" in the configuration files simply has no
effect on the operation of the server.

In CyberCash's server, when the "DEBUG" flag is on, the contents of
all credit card transactions are written to a log file (named
"Debug.log" by default).

The easiest workaround I've found is to simply delete the existing
Debug.log file. In my experience with the Solaris release, the
CyberCash software does not create this file at start time when the
DEBUG flag is set to 0.

The inability to turn off debugging is noted on CyberCash's web site
under "Known Limitations". The fact that credit card numbers are
stored in the clear, in a world readable file, is not.

--jet