Bugtraq mailing list archives
Major security flaw in Cybercash 2.1.2
From: anon () ANON EFGA ORG (Anonymous)
Date: Fri, 7 Nov 1997 22:54:16 -0500
CyberCash v. 2.1.2 has a major security flaw that causes all credit card information processed by the server to be logged in a file with world-readable permissions. This security flaw exists in the default CyberCash installation and configuration. The flaw is a result of not being able to turn off debugging. Setting the "DEBUG" flag to "0" in the configuration files simply has no effect on the operation of the server. In CyberCash's server, when the "DEBUG" flag is on, the contents of all credit card transactions are written to a log file (named "Debug.log" by default). The easiest workaround I've found is to simply delete the existing Debug.log file. In my experience with the Solaris release, the CyberCash software does not create this file at start time when the DEBUG flag is set to 0. The inability to turn off debugging is noted on CyberCash's web site under "Known Limitations". The fact that credit card numbers are stored in the clear, in a world readable file, is not. --jet
Current thread:
- Major security flaw in Cybercash 2.1.2 Anonymous (Nov 07)
- Re: Major security flaw in Cybercash 2.1.2 Tim Scanlon (Nov 07)
- <Possible follow-ups>
- Re: Major security flaw in Cybercash 2.1.2 Megan Alexander (Nov 11)