(hhp) SMPS advisory. (hhp) hhp-ADV#3 by: loophole hhp@hhp.perlx.com 4/29/99 10:35:53pm CST. ---------------------------------------------- SMPS (Server merchant payment system) has default permission problems. The wrong moded directory is Cybercashserver/smps* which gives complete access to view all the config and database files. The most dangerous file that is left world readable is: Cybercashserver/smps*.../merchants/admin.pw or maybe another various directory path/location depending on the server and version of the software. The admin.pw contains a crypt(3) passwd. This could lead to a system-wide compromise if it was to be cracked. The official website for this software that was found in the README file currently doesnt allow access to view the website which made it hard for me to build more information about this software. My suggestions to admins using this software is to disable this software, change the modes on the directory and get in contact with the vendor of this software and find out when they plan to release a new version of this software fixing this defualt problem. If you want to play it safe, I would check your server to see if you have already been cracked and hacked. I have notified the vendors of this software about the problem and hope the best to all the clients. ----------------------------------------------