Netsurfer for UNIX permits local users to access sensitive data like passwords and credit card info.
`**************************
Software: Netsurfer for UNIX (version?)
Platforms: UNIX (various ISPs)
Problem: Any local user can obtain passwords and credit card numbers
by elsewhere
A problem exists in Netsufer's, Inc. Netsurfer software (see
www.netsurfer.com) that allows the average local user (anyone in the user
group) to obtain usernames, passwords, and credit card information for new
subscribers. The netsurfer program is designed for ISP's to allow new
users to subscribe via the web. Unfortunately, this software stores an
abundant amount of personal information in its logfile, located (at least
in my experience) in /usr/home/netsurfer/log. The logfile that contains
this information was called "signup140" . Here is a sample of what a user
can find in this file, which can grow to be quite large (all data changed
to protect innocent):
940615960 9413: jsmith = jsmith| jsmith2 = jsmith2 | jsmith3 = jsmith3
940616005 9413:
TransactionResult=Completed&Username=jsmith&Password=mypasswd&Email=jsmith&E
mailPassword=mypasswd&ActivationTime=5
940618277 13974: Vars
State=PA
CardNumber=4011454980948545
PaymentPlan=Visa
FirstName=John
AuthCode=5Zaz-KJEb-06yh
Password=mypasswd
Zip=19001-4333
ExpMonth=03
ReferralName=John Smith
Verify=mypasswd
LastName=Smith
Address1=107 Cherry St.
Address2=
CardHolder=John Smith
City=Notown
Email1=jsmith
Phone=121-555-1212
Email2=jsmith2
[email protected]
Email3=jsmith3
ServicePlan=Standard Internet Account
ExpYear=2001
If a malicious user gains access to an ISP that uses this software, he can
return each day or week to retrieve the newly-subscribed user's
information. A fix? Change the rights!
much respect to: Darrel, Brotka, and jer. Love to: JEN
**************
_____________________________________________
Free email with personality! Over 200 domains!
http://www.MyOwnEmail.com
`
Transform Your Security Services
Elevate your offerings with Vulners' advanced Vulnerability Intelligence. Contact us for a demo and discover the difference comprehensive, actionable intelligence can make in your security strategy.
Book a live demo