-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
_______________________________________________________________________
Rapid 7, Inc. Security Advisory
Visit http://www.rapid7.com/ to download NeXpose(tm), our
advanced vulnerability scanner. Linux and Windows 2000
versions are available now!
_______________________________________________________________________
Rapid 7 Advisory R7-0005
Granite Software ZMerge Administration Database Insecure Default ACLs
Published: September 6, 2002
Revision: 1.0
CVE ID: CAN-2002-0664
Bugtraq ID: 5101
1. Affected system(s):
KNOWN VULNERABLE:
o ZMerge 4.x
o ZMerge 5.x
2. Summary
ZMerge is a Lotus Notes/Domino tool for mapping data between Lotus
Notes databases and structured data files. It runs on 32-bit MS
Windows. By default, the ZMerge administration database grants
Manager access to all users (including anonymous web users). If
the administrator neglects to change the database ACLs to something
more appropriate, an unauthorized user could modify the data
import/export scripts which might then be run by an administrator
or scheduled agent. Note that while anonymous web users can read
and modify all scripts, they cannot run scripts interactively over
the web.
3. Vendor status and information
ZMerge
Granite Software
http://www.gsw.com
Granite Software was notified on June 12, 2002. They have
acknowledged the issue and agreed to address it in future revisions
of ZMerge by shipping with a more secure default database ACL.
They will also include documentation that includes ACL
considerations for the review by the administrator.
4. Solution
Select the ZMerge administrator database (either zm50adm.nsf or
zmevladm.nsf depending on which version of ZMerge you have). Change
the access level for Default and Anonymous to "No Access".
If this information is not critical for distribution to other
domains, also restrict access for OtherDomainServers to "No Access".
For every entry that you have set to "No Access", verify that
"Read public documents" and "Write public documents" are
unchecked. If not, access will still be permitted for any public
documents (the database About document, etc.).
While not as important, you should repeat this step for all of the
ZMerge documentation and sample databases, including zmguide.nsf,
zmlookup.nsf, and zmsamp*.nsf. Better yet, delete these databases
when you are finished using them.
5. Detailed analysis
The ZMerge administration database contains the data import/export
scripts used with ZMerge. The scripts are interpreted by the ZMerge
program on the server, allowing scripts to read and write arbitrary
files on the server. Several example scripts are included by default.
While the ZMerge administration database allows users to run scripts
from within the Notes client, it is NOT possible for an attacker to
run scripts directly from a web client, because the database makes use
of the Notes formula language "@ functions", which cannot run in the web
context. However, a web user could still read and modify existing
scripts which may then be run as part of an agent or scheduled server
task (or run directly by an unsuspecting administrator).
Furthermore, since an attacker could use the information in the scripts
(filenames and contents) to gain information about the server (the
physical web root, for example), non-Administrative users should not
have even "Reader" access to this database.
6. Contact Information
Rapid 7 Security Advisories
Email: advisoryat_private
Web: http://www.rapid7.com/
Phone: +1 (212) 558-8700
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (OpenBSD)
iD8DBQE9ePpDcL76DCfug6wRAkGyAJ9TmiVLzxabeot55ua0lqh4G1sp/QCeIvXv
JgKsMUbOMMQSJiB4vsqPPsU=
=iqgl
-----END PGP SIGNATURE-----
This archive was generated by hypermail 2b30 : Fri Sep 06 2002 - 12:47:43 PDT