(hhp) SMPS advisory. (hhp)
----------------------------------------------
       SMPS (Server  merchant  payment system)
has  default  permission  problems.  The wrong
moded directory is Cybercashserver/smps* which
gives  complete  access to view all the config
and  database  files.  The most dangerous file
that is left world readable is:
Cybercashserver/smps*.../merchants/admin.pw or
maybe  another various directory path/location
depending  on  the  server  and version of the
software.  The  admin.pw  contains  a crypt(3)
passwd.  This  could  lead  to  a  system-wide
compromise if it was to be cracked.
       The  official website for this software
that  was  found  in the README file currently
doesnt  allow access to view the website which
made  it hard for me to build more information
about this software.
       My  suggestions  to  admins using this
software  is to disable this software, change
the modes on the directory and get in contact
with the vendor of this software and find out
when  they  plan  to release a new version of
this software fixing this defualt problem. If
you  want to play it safe, I would check your
server  to  see  if  you  have  already  been
cracked and hacked.
       I  have  notified  the vendors of this
software  about the problem and hope the best
to all the clients.

-elaich
4-29-99 10:35:53pm CST

-----------------------------------------
elaich of the hhp.            hhp-1999(c)
Email:  hhp@hemp.net
Web:   http://hhp.hemp.net/  
Voice: 1-800-Rag-on-gH pin: The-hhp-crew
hhp-ms: hhp.hemp.net, port:7777, pass:hhp
-----------------------------------------

-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: PGPfreeware 6.0 for non-commercial use <www.pgp.com>
mQGiBDcl8CwRBAD7xCp+A5ORiRzMLS4mPstL1aJadSCXSGyNKEZZ6kZwdO3YhLCf
2vkeJF0OGe8KRfd8LRxP0f/3syg7lfH77m0OP8NXeoOHD48T8K4Mabp2WEJmUW0r
J6op94LjFUwqNqYuOa+bVULrotZY6iWlxBWunltu9wrqgP22RVtKAu0PVwCg/2SS
rYoDCNTH4dlzNcVcza5XuhMEALbmuKISbjeOqsVETYYMdQfr0M/m1YfztjJ2tDS7
bGfOCFpQUFLyCUt/FHHmlInXQWUSVCgjkp0/giFoY9dX+4IB8wLgfu68BOZM5fft
I5mxI0vyBSke2kHQTqf3vQ5Yveg6gIB8WW9Pi+MAwLMS3+Hmrar+4GCUOqe9w3yi
u1q3BADcAM3VkORpkifjK8pWex1fdfvGmLBX5PBuCexl5dpeXdVC+Ktncis9u4yh
5f/PI/g/Uk4T2D/nF5PA4tSkNvRJaPVZCXjFRfc4K+rzQxuYRePwXFgaHSk9cDnd
XBq5JM6iXLBGFIJpbbwWkftuFOaJLXdP/DqDaXkjbWXLbH9nN7QhZWxhaWNoIG9m
IGhocC4gPGhocEBoaHAuaGVtcC5uZXQ+iQBLBBARAgALBQI3JfAsBAsDAgEACgkQ
bSmqkM1thIxvkQCeIEUYJTwF5nC+T9DUcUqStqpwtiQAoIzw9fqSB026Q+w0CGWe
BPX9LD5ruQINBDcl8DMQCAD2Qle3CH8IF3KiutapQvMF6PlTETlPtvFuuUs4INoB
p1ajFOmPQFXz0AfGy0OplK33TGSGSfgMg71l6RfUodNQ+PVZX9x2Uk89PY3bzpnh
V5JZzf24rnRPxfx2vIPFRzBhznzJZv8V+bv9kV7HAarTW56NoKVyOtQa8L9GAFgr
5fSI/VhOSdvNILSd5JEHNmszbDgNRR0PfIizHHxbLY7288kjwEPwpVsYjY67VYy4
XTjTNP18F1dDox0YbN4zISy1Kv884bEpQBgRjXyEpwpy1obEAxnIByl6ypUM2Zaf
q9AKUJsCRtMIPWakXUGfnHy9iUsiGSa6q6Jew1XpMgs7AAICB/oCoABrcAodA+Qw
0QOzptm6arxtaRte4a6ZQs+N4Y63+S5oKBz4/atHGGIqgcxCUaaPCxfcqRMoz6Tw
ZhxOKe3/xKA+qPRfLP19P3nHcTLZqa/orvohDu235OQHBd5Mi6sr2MUcUL1WfsU7
fPZEjwu6d3MuXpjJUeFzNezJzIbXNzqFAVQawVH6lV+xGfqjD0zceGFGALvvGVxL
ANdmCzqjE1LFbqf1Zdd04lKYKSglX4PFz3Ly/jzi22GFxMuGf6ud4R80wUC0zBKO
RZHX3jPqjrqfbY9dq1vpBNDEugOYPqv3/lNlkoxUzKhJCZLPUcbQQs+BuNUUcRW9
dEkl71kuiQBGBBgRAgAGBQI3JfAzAAoJEG0pqpDNbYSMFgIAoMUE0SGIfqg0oj9e
oY9AHDAScmZtAKDgKF7STtRwB4KJ6/Q9HC3gUgGBbA==
=GJ0e
-----END PGP PUBLIC KEY BLOCK-----