Re: Major security flaw in Cybercash 2.1.2

Megan Alexander (malexander@COMMANDCOM.COM)
Tue, 11 Nov 1997 14:32:15 -0500

This is also an issue with Verifone vPOS, which ships with the Microsoft
Site Server, partnered as an evaluation version.

Most of these credit card validators have the ability to store items to a
logfile, which is often turned on in debugging and testing and never turned
off by the administrator...

Here are some other interesting things about vPOS and Site Server, for the
e-commerce-minded among us:

1. In addition to the debug log mentioned above, the actual Commerce Server
store also has the ability to write a very lengthy logfile, called
ordinitbf, which can be added into the global.asa of the store, and called
using a scriptor component. Again, not very useful unless an administrator
turns on logging and never turns it off.

Things included in this file include: all shopper info, all address info
(billing and shipping), credit card info, including name, exp, and
number... you get the idea.

2. the vPOS service cannot be started automatically. The encryption string
MUST be typed in at start-up. This sequence cannot be automated. Therefore,
if a server using vPOS is somehow compromised in the middle of the night,
and no administrator is there to restart the service, all transactions will
fail until the next time the administrator restarts the service.

3. In order for vPOS to work with Microsoft Site Server (Commerce Server
2.0), the Commerce Server version 1.0 component wrapper must be used. In
order to trick the v1 component wrapper into thinking that Site Server is
really Merchant Server 1.0, A LOT of registry entries must be made.

Some of these registry entries include the SQL passwords, the NT
administrator login passwords, etc. Fun for the whole family, and
everything in plaintext.

4. The merchant certificates are stored in the SQL database whose passwords
you just typed in plaintext into the registry.

Sigh.

-megan

Megan Alexander: Webmaster, etc.
Command Software Systems
(561)575.3200 x 170
http://www.commandcom.com

-----Original Message-----
From: Tim Scanlon [SMTP:tfs@CHARM.SEALSOFT.COM]
Sent: Saturday, November 08, 1997 12:35 AM
To: BUGTRAQ@NETSPACE.ORG
Subject: Re: Major security flaw in Cybercash 2.1.2

On Fri, 7 Nov 1997 , Anonymous said:
>In CyberCash's server, when the "DEBUG" flag is on, the contents of
>all credit card transactions are written to a log file (named
>"Debug.log" by default).
>
>The easiest workaround I've found is to simply delete the existing
>Debug.log file. In my experience with the Solaris release, the
>CyberCash software does not create this file at start time when the
>DEBUG flag is set to 0.
>

ln -s Debug.log /dev/null

Works easier than deleting over and over I'd hazard.

Tim

---
________________________________________________________________
tfs@sealsoft.com                (NeXTmail, MIME)     Tim Scanlon
tfs@epic.org                    (PGP key by req)  crypto is good
Seal Technologies Inc.                        I own my own words