[ic] authnet security risk?

Paul Jordan interchange-users@icdevgroup.org
Sat Feb 22 16:23:01 2003


> Hmm, well this is a HUGE discussion about the theory of web security in
> relation to commerce, that could go on for a while and may or may not
> belong here, but hey, here's my 2 cents:
>

Yes, my question regarding IC would be the fact that alot of information,
like Mysql database names/usernames/passwords and possibly AUTHNET
information exists in products/variable.txt. It seems to me that in 4.8.3
there was a bug that let a user arbitrailty read files owned by interchange.
(btw I am on 4.9.7 now)

So, I am wondering if maybe others are taking more measures to gaurd their
information. I am very concerned with security, and sometimes hire
consultants to soley ask about security theory in advance, but as one
consultant said to me early on... "Having you own server is kinda like being
naked in the woods". There will always be someone one step ahead, no matter
ho big you are and how much security you have.

And, if so, what measures (in IC) are people taking. I am not an expert on
how IC tends to security. My main reason for posting this here is to see if
my assuption is accurate. If others say yes that there is concern, that a
simple second password would solve, then I would take the issue up with
AuthNet in more force. That is all.

The main issue is, I have, on my webserver in a .txt file, with all the
information needed to access all customer credit card numbers. This seems
odd to me.


Regards,

Paul