COMMAND

    CyberCash

SYSTEMS AFFECTED

    Systems running (at least) CyberCash v. 2.1.2

PROBLEM

    jet posted following. CyberCash v. 2.1.2 has a major security flaw
    that causes all credit card information processed by the server to
    be  logged  in  a  file  with  world-readable  permissions.   This
    security flaw  exists in  the default  CyberCash installation  and
    configuration.

    The flaw  is a  result of  not being  able to  turn off debugging.
    Setting the "DEBUG" flag to "0" in the configuration files  simply
    has no effect on the operation of the server.

    In CyberCash's server, when the  "DEBUG" flag is on, the  contents
    of all credit card transactions  are written to a log  file (named
    "Debug.log" by default).

SOLUTION

    The easiest workaround is to simply delete the existing  Debug.log
    file.   From experience  with the  Solaris release,  the CyberCash
    software does not  create this file  at start time  when the DEBUG
    flag is set to 0.  Of course, _deleting_ would be easier this way:

        ln -s Debug.log /dev/null

    This  flaw  is  in  the  debug  logging  function.  New release of
    software is available and fixes vulnerability above.