netsurfer.txt

2000-04-18T00:00:00
ID PACKETSTORM:17620
Type packetstorm
Reporter Elsewhere
Modified 2000-04-18T00:00:00

Description

                                        
                                            `**************************  
Software: Netsurfer for UNIX (version?)  
Platforms: UNIX (various ISPs)  
Problem: Any local user can obtain passwords and credit card numbers  
  
by elsewhere  
  
A problem exists in Netsufer's, Inc. Netsurfer software (see  
www.netsurfer.com) that allows the average local user (anyone in the user  
group) to obtain usernames, passwords, and credit card information for new  
subscribers. The netsurfer program is designed for ISP's to allow new  
users to subscribe via the web. Unfortunately, this software stores an  
abundant amount of personal information in its logfile, located (at least  
in my experience) in /usr/home/netsurfer/log. The logfile that contains  
this information was called "signup140" . Here is a sample of what a user  
can find in this file, which can grow to be quite large (all data changed  
to protect innocent):  
  
940615960 9413: jsmith = jsmith| jsmith2 = jsmith2 | jsmith3 = jsmith3  
940616005 9413:  
TransactionResult=Completed&Username=jsmith&Password=mypasswd&Email=jsmith&E  
mailPassword=mypasswd&ActivationTime=5  
940618277 13974: Vars  
State=PA  
CardNumber=4011454980948545  
PaymentPlan=Visa  
FirstName=John  
AuthCode=5Zaz-KJEb-06yh  
Password=mypasswd  
Zip=19001-4333  
ExpMonth=03  
ReferralName=John Smith  
Verify=mypasswd  
LastName=Smith  
Address1=107 Cherry St.  
Address2=  
CardHolder=John Smith  
City=Notown  
Email1=jsmith  
Phone=121-555-1212  
Email2=jsmith2  
ReferralEmail=jsmith@myisp.net  
Email3=jsmith3  
ServicePlan=Standard Internet Account  
ExpYear=2001  
  
If a malicious user gains access to an ISP that uses this software, he can  
return each day or week to retrieve the newly-subscribed user's  
information. A fix? Change the rights!  
  
much respect to: Darrel, Brotka, and jer. Love to: JEN  
**************  
  
  
_____________________________________________  
Free email with personality! Over 200 domains!  
http://www.MyOwnEmail.com  
  
`