Major security flaw in Cybercash 2.1.2 (fwd)

[Robert Hettinga <rah@shipwright.com>]

--- begin forwarded text


From: Bob Antia <antia@leftbank.com>
Subject: Major security flaw in Cybercash 2.1.2 (fwd)
To: mjbauer@leftbank.com (Michael Bauer), rah@shipwright.com
Date: Sat, 8 Nov 1997 10:04:14 -0500 (EST)
MIME-Version: 1.0


Approved-By: aleph1@UNDERGROUND.ORG
Message-ID: <f58bccfc52aba91d0973f9bf33160ddd@anon.efga.org>
Date: 	Fri, 7 Nov 1997 22:54:16 -0500
Reply-To: Anonymous <anon@ANON.EFGA.ORG>
Sender: Bugtraq List <BUGTRAQ@NETSPACE.ORG>
Comments:     This message was remailed by a FREE automated remailing service.
              For additional information on this service,
              send a message with the subject "remailer-help" to
              remailer@anon.efga.org. The body of the message will be
              discarded. To report abuse,
              contact the operator at admin@anon.efga.org.  Headers below this
              point were inserted by the original sender.
From: Anonymous <anon@ANON.EFGA.ORG>
Subject:      Major security flaw in Cybercash 2.1.2
To: BUGTRAQ@NETSPACE.ORG

CyberCash v. 2.1.2 has a major security flaw that causes all credit
card information processed by the server to be logged in a file with
world-readable permissions.  This security flaw exists in the default
CyberCash installation and configuration.

The flaw is a result of not being able to turn off debugging.  Setting
the "DEBUG" flag to "0" in the configuration files simply has no
effect on the operation of the server.

In CyberCash's server, when the "DEBUG" flag is on, the contents of
all credit card transactions are written to a log file (named
"Debug.log" by default).

The easiest workaround I've found is to simply delete the existing
Debug.log file.  In my experience with the Solaris release, the
CyberCash software does not create this file at start time when the
DEBUG flag is set to 0.

The inability to turn off debugging is noted on CyberCash's web site
under "Known Limitations".  The fact that credit card numbers are
stored in the clear, in a world readable file, is not.

--jet

-b

Bob Antia                                           antia@leftbank.com
The Left Bank Operation, Inc.                       http://www.leftbank.com
TCP/IP Internetworking                              LAN/WAN/NT/UNIX Admin
PGP fingerprint          9B 70 FF 2D 03 CC 5F C1  3E 29 6E D4 16 79 44 A8

--- end forwarded text



-----------------
Robert Hettinga (rah@shipwright.com), Philodox
e$, 44 Farquhar Street, Boston, MA 02131 USA
"... however it may deserve respect for its usefulness and antiquity,
[predicting the end of the world] has not been found agreeable to
experience." -- Edward Gibbon, 'Decline and Fall of the Roman Empire'
The e$ Home Page: http://www.shipwright.com/
Ask me about FC98 in Anguilla!: <http://www.fc98.ai/>