Bugtraq mailing list archives
Re: Major security flaw in Cybercash 2.1.2
From: malexander () COMMANDCOM COM (Megan Alexander)
Date: Tue, 11 Nov 1997 14:32:15 -0500
This is also an issue with Verifone vPOS, which ships with the Microsoft Site Server, partnered as an evaluation version. Most of these credit card validators have the ability to store items to a logfile, which is often turned on in debugging and testing and never turned off by the administrator... Here are some other interesting things about vPOS and Site Server, for the e-commerce-minded among us: 1. In addition to the debug log mentioned above, the actual Commerce Server store also has the ability to write a very lengthy logfile, called ordinitbf, which can be added into the global.asa of the store, and called using a scriptor component. Again, not very useful unless an administrator turns on logging and never turns it off. Things included in this file include: all shopper info, all address info (billing and shipping), credit card info, including name, exp, and number... you get the idea. 2. the vPOS service cannot be started automatically. The encryption string MUST be typed in at start-up. This sequence cannot be automated. Therefore, if a server using vPOS is somehow compromised in the middle of the night, and no administrator is there to restart the service, all transactions will fail until the next time the administrator restarts the service. 3. In order for vPOS to work with Microsoft Site Server (Commerce Server 2.0), the Commerce Server version 1.0 component wrapper must be used. In order to trick the v1 component wrapper into thinking that Site Server is really Merchant Server 1.0, A LOT of registry entries must be made. Some of these registry entries include the SQL passwords, the NT administrator login passwords, etc. Fun for the whole family, and everything in plaintext. 4. The merchant certificates are stored in the SQL database whose passwords you just typed in plaintext into the registry. Sigh. -megan Megan Alexander: Webmaster, etc. Command Software Systems (561)575.3200 x 170 http://www.commandcom.com -----Original Message----- From: Tim Scanlon [SMTP:tfs () CHARM SEALSOFT COM] Sent: Saturday, November 08, 1997 12:35 AM To: BUGTRAQ () NETSPACE ORG Subject: Re: Major security flaw in Cybercash 2.1.2 On Fri, 7 Nov 1997 , Anonymous said:
In CyberCash's server, when the "DEBUG" flag is on, the contents of all credit card transactions are written to a log file (named "Debug.log" by default). The easiest workaround I've found is to simply delete the existing Debug.log file. In my experience with the Solaris release, the CyberCash software does not create this file at start time when the DEBUG flag is set to 0.
ln -s Debug.log /dev/null Works easier than deleting over and over I'd hazard. Tim --- ________________________________________________________________ tfs () sealsoft com (NeXTmail, MIME) Tim Scanlon tfs () epic org (PGP key by req) crypto is good Seal Technologies Inc. I own my own words
Current thread:
- Major security flaw in Cybercash 2.1.2 Anonymous (Nov 07)
- Re: Major security flaw in Cybercash 2.1.2 Tim Scanlon (Nov 07)
- <Possible follow-ups>
- Re: Major security flaw in Cybercash 2.1.2 Megan Alexander (Nov 11)