**************************
Software: Netsurfer for UNIX (version?)
Platforms: UNIX (various ISPs)
Problem: Any local user can obtain passwords and credit card numbers

by elsewhere

	A problem exists in Netsufer's, Inc. Netsurfer software (see
www.netsurfer.com) that allows the average local user (anyone in the user
group) to obtain usernames, passwords, and credit card information for new
subscribers.  The netsurfer program is designed for ISP's to allow new
users to subscribe via the web.  Unfortunately, this software stores an
abundant amount of personal information in its logfile, located (at least
in my experience) in /usr/home/netsurfer/log.  The logfile that contains
this information was called "signup140" .  Here is a sample of what a user
can find in this file, which can grow to be quite large (all data changed
to protect innocent):

940615960 9413: jsmith = jsmith| jsmith2 = jsmith2 | jsmith3 = jsmith3
940616005 9413:
TransactionResult=Completed&Username=jsmith&Password=mypasswd&Email=jsmith&E
mailPassword=mypasswd&ActivationTime=5
940618277 13974: Vars
  State=PA
  CardNumber=4011454980948545
  PaymentPlan=Visa
  FirstName=John
  AuthCode=5Zaz-KJEb-06yh
  Password=mypasswd
  Zip=19001-4333
  ExpMonth=03
  ReferralName=John Smith
  Verify=mypasswd
  LastName=Smith
  Address1=107 Cherry St.
  Address2=
  CardHolder=John Smith
  City=Notown
  Email1=jsmith
  Phone=121-555-1212
  Email2=jsmith2
  ReferralEmail=jsmith@myisp.net
  Email3=jsmith3
  ServicePlan=Standard Internet Account
  ExpYear=2001

	If a malicious user gains access to an ISP that uses this software, he can
return each day or week to retrieve the newly-subscribed user's
information.  A fix?  Change the rights!

much respect to: Darrel, Brotka, and jer.  Love to: JEN
**************


_____________________________________________
Free email with personality! Over 200 domains!
http://www.MyOwnEmail.com