TUCoPS :: Unix :: General
:: mck-1.htm
CyberCash Merchant Connection Kit bugs
Vulnerability
Merchant Connection Kit
Affected
CyberCash MCK 3.2.0.4
Description
Sheldon Young found following. There is a serious security hole
in the CyberCash Merchant Connection Kit version 3 due to
inappropriate use of temporary files. The result is that local
users are able to delete, corrupt and create files writable by
the web server and prevent any credit card transactions from
occuring. The basic problem is that in at least two places
(CCMckLib3_2.pm and CCMckDirectLib3_2.pm) they do the following:
my($tempfile) = "hash$$";
$tempfile =~ tr/A-Za-z0-9_//cd;
$tempfile = $TMPDIR . "$tempfile.tmp";
# Input may be sensitive, so pipe it in...
open(HASH,"| $computehash>$tempfile");
print HASH $signThis;
print HASH "\r\n"; # force a flush
close(HASH);
# get the base64-encoded MD5 hash
open(TEMP,"< $tempfile");
$hash = <TEMP>;
chomp($hash);
close(TEMP);
# strip leading and trailing whitespace
$hash = &Trim($hash);
# clean up the temporary file
unlink "$tempfile";
That is so full of holes, but for those who don't read Perl:
- Completely predictable temporary file names
- The open() the file two different times without check to see
if it actually succeeded
- Creates a temporary file blindly in /tmp without bothering
to account for the usual holes like symbolic links
- They DELETE the file without bothering to see if the open
actually succeeded
KSR[T] had a similiar advisory coming out, which also discussed
that the C API had similiar /tmp problems, and possibly some
other potential attacks. The most important factor to this
vulnerability is that local users can halt businesses that rely on
Cybercash to process credit card orders from doing business over
the web. Another item to note is that there is also an active
server page version of Cybercash which remains unaudited.
Solution
The workaround is to not allow local users on the same machine as
any credit card processing (may be difficult for web hosting
companies), to not use the Perl API (no guarantee the same
mistakes aren't made in the other APIs), or to fix the code.
CyberCash will fix that in next release.