Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com

Neohapsis > Archives > Bugtraq> 2000-01

Bugtraq Archives: Re: CyberCash MCK 3.2.0.4: Large /tmp hole (f

Re: CyberCash MCK 3.2.0.4: Large /tmp hole (fwd)

Subject: Re: CyberCash MCK 3.2.0.4: Large /tmp hole (fwd)
From: Dave G. (dhgKSRT.ORG)
Date: Thu Jan 13 2000 - 16:33:36 CST

Next message: Chris Tobkin: "Re: IIS still revealing paths for web directories"
Previous message: Lark Lizerman: "MS IIS 5.0 Access Violation on handling URL String"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

>
> Manfuacturer: CyberCash (http://www.cybercash.com)
> Software: Merchant Connection Kit
> Version: 3.2.0.4
>

KSR[T] had a similiar advisory coming out, which also discussed that the C
API had similiar /tmp problems, and possibly some other potential attacks.
We will make the advisory available on the website by the end of Friday.
Since I don't have the advisory in front of me, I can't confirm the
details of the C API.

The most important factor to this vulnerability (as discussed by Sheldon)
is that local users can halt businesses that rely on Cybercash to process
credit card orders from doing business over the web.

Another item to note is that there is also an active server page version
of Cybercash which remains unaudited.

Dave G.
http://www.ksrt.org
http://www.ksrt.org/~daveg

Next message: Chris Tobkin: "Re: IIS still revealing paths for web directories"
Previous message: Lark Lizerman: "MS IIS 5.0 Access Violation on handling URL String"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b27 : Sat Jan 15 2000 - 00:19:32 CST