COMMAND

    Merchant Connection Kit

SYSTEMS AFFECTED

    CyberCash MCK 3.2.0.4

PROBLEM

    Sheldon Young found following.   There is a serious security  hole
    in  the  CyberCash  Merchant  Connection  Kit  version  3  due  to
    inappropriate use of  temporary files.   The result is  that local
    users are  able to  delete, corrupt  and create  files writable by
    the  web  server  and  prevent  any  credit card transactions from
    occuring.   The  basic  problem  is  that  in  at least two places
    (CCMckLib3_2.pm and CCMckDirectLib3_2.pm) they do the following:

        my($tempfile) = "hash$$";
        $tempfile =~ tr/A-Za-z0-9_//cd;

        $tempfile = $TMPDIR . "$tempfile.tmp";

        # Input may be sensitive, so pipe it in...
        open(HASH,"| $computehash >$tempfile");

        print HASH $signThis;
        print HASH "\r\n";   # force a flush
        close(HASH);

        # get the base64-encoded MD5 hash
        open(TEMP,"< $tempfile");

        $hash = <TEMP>;
        chomp($hash);
        close(TEMP);

        # strip leading and trailing whitespace
        $hash = &Trim($hash);

        # clean up the temporary file
        unlink "$tempfile";

    That is so full of holes, but for those who don't read Perl:

        - Completely predictable temporary file names
        - The open() the file two different times without check to see
          if it actually succeeded
        - Creates a temporary  file blindly in /tmp  without bothering
          to account for the usual holes like symbolic links
        - They DELETE  the file without  bothering to see  if the open
          actually succeeded

    KSR[T] had a  similiar advisory coming  out, which also  discussed
    that  the  C  API  had  similiar  /tmp problems, and possibly some
    other  potential  attacks.     The  most  important factor to this
    vulnerability is that local users can halt businesses that rely on
    Cybercash to process credit  card orders from doing  business over
    the web.   Another item to  note is that  there is also  an active
    server page version of Cybercash which remains unaudited.

SOLUTION

    The workaround is to not allow local users on the same machine  as
    any  credit  card  processing  (may  be  difficult for web hosting
    companies),  to  not  use  the  Perl  API  (no  guarantee the same
    mistakes  aren't  made  in  the  other  APIs), or to fix the code.
    CyberCash will fix that in next release.