************************** Software: Netsurfer for UNIX (version?) Platforms: UNIX (various ISPs) Problem: Any local user can obtain passwords and credit card numbers by elsewhere A problem exists in Netsufer's, Inc. Netsurfer software (see www.netsurfer.com) that allows the average local user (anyone in the user group) to obtain usernames, passwords, and credit card information for new subscribers. The netsurfer program is designed for ISP's to allow new users to subscribe via the web. Unfortunately, this software stores an abundant amount of personal information in its logfile, located (at least in my experience) in /usr/home/netsurfer/log. The logfile that contains this information was called "signup140" . Here is a sample of what a user can find in this file, which can grow to be quite large (all data changed to protect innocent): 940615960 9413: jsmith = jsmith| jsmith2 = jsmith2 | jsmith3 = jsmith3 940616005 9413: TransactionResult=Completed&Username=jsmith&Password=mypasswd&Email=jsmith&E mailPassword=mypasswd&ActivationTime=5 940618277 13974: Vars State=PA CardNumber=4011454980948545 PaymentPlan=Visa FirstName=John AuthCode=5Zaz-KJEb-06yh Password=mypasswd Zip=19001-4333 ExpMonth=03 ReferralName=John Smith Verify=mypasswd LastName=Smith Address1=107 Cherry St. Address2= CardHolder=John Smith City=Notown Email1=jsmith Phone=121-555-1212 Email2=jsmith2 ReferralEmail=jsmith@myisp.net Email3=jsmith3 ServicePlan=Standard Internet Account ExpYear=2001 If a malicious user gains access to an ISP that uses this software, he can return each day or week to retrieve the newly-subscribed user's information. A fix? Change the rights! much respect to: Darrel, Brotka, and jer. Love to: JEN ************** _____________________________________________ Free email with personality! Over 200 domains! http://www.MyOwnEmail.com