Software: Netsurfer for UNIX (version?)
Platforms: UNIX (various ISPs)
Problem: Any local user can obtain passwords and credit card numbers
A problem exists in Netsufer's, Inc. Netsurfer software (see
www.netsurfer.com) that allows the average local user (anyone in the user
group) to obtain usernames, passwords, and credit card information for new
subscribers. The netsurfer program is designed for ISP's to allow new
users to subscribe via the web. Unfortunately, this software stores an
abundant amount of personal information in its logfile, located (at least
in my experience) in /usr/home/netsurfer/log. The logfile that contains
this information was called "signup140" . Here is a sample of what a user
can find in this file, which can grow to be quite large (all data changed
to protect innocent):
940615960 9413: jsmith = jsmith| jsmith2 = jsmith2 | jsmith3 = jsmith3
940618277 13974: Vars
Address1=107 Cherry St.
ServicePlan=Standard Internet Account
If a malicious user gains access to an ISP that uses this software, he can
return each day or week to retrieve the newly-subscribed user's
information. A fix? Change the rights!
much respect to: Darrel, Brotka, and jer. Love to: JEN
Free email with personality! Over 200 domains!