From advisory@rapid7.com Tue Sep 10 19:19:06 2002 From: Rapid 7 Security Advisories To: vulnwatch@vulnwatch.org Date: Fri, 6 Sep 2002 15:20:30 -0400 Subject: [VulnWatch] Rapid 7 Advisory R7-0005: ZMerge Insecure Default ACLs -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 _______________________________________________________________________ Rapid 7, Inc. Security Advisory Visit http://www.rapid7.com/ to download NeXpose(tm), our advanced vulnerability scanner. Linux and Windows 2000 versions are available now! _______________________________________________________________________ Rapid 7 Advisory R7-0005 Granite Software ZMerge Administration Database Insecure Default ACLs Published: September 6, 2002 Revision: 1.0 CVE ID: CAN-2002-0664 Bugtraq ID: 5101 1. Affected system(s): KNOWN VULNERABLE: o ZMerge 4.x o ZMerge 5.x 2. Summary ZMerge is a Lotus Notes/Domino tool for mapping data between Lotus Notes databases and structured data files. It runs on 32-bit MS Windows. By default, the ZMerge administration database grants Manager access to all users (including anonymous web users). If the administrator neglects to change the database ACLs to something more appropriate, an unauthorized user could modify the data import/export scripts which might then be run by an administrator or scheduled agent. Note that while anonymous web users can read and modify all scripts, they cannot run scripts interactively over the web. 3. Vendor status and information ZMerge Granite Software http://www.gsw.com Granite Software was notified on June 12, 2002. They have acknowledged the issue and agreed to address it in future revisions of ZMerge by shipping with a more secure default database ACL. They will also include documentation that includes ACL considerations for the review by the administrator. 4. Solution Select the ZMerge administrator database (either zm50adm.nsf or zmevladm.nsf depending on which version of ZMerge you have). Change the access level for Default and Anonymous to "No Access". If this information is not critical for distribution to other domains, also restrict access for OtherDomainServers to "No Access". For every entry that you have set to "No Access", verify that "Read public documents" and "Write public documents" are unchecked. If not, access will still be permitted for any public documents (the database About document, etc.). While not as important, you should repeat this step for all of the ZMerge documentation and sample databases, including zmguide.nsf, zmlookup.nsf, and zmsamp*.nsf. Better yet, delete these databases when you are finished using them. 5. Detailed analysis The ZMerge administration database contains the data import/export scripts used with ZMerge. The scripts are interpreted by the ZMerge program on the server, allowing scripts to read and write arbitrary files on the server. Several example scripts are included by default. While the ZMerge administration database allows users to run scripts from within the Notes client, it is NOT possible for an attacker to run scripts directly from a web client, because the database makes use of the Notes formula language "@ functions", which cannot run in the web context. However, a web user could still read and modify existing scripts which may then be run as part of an agent or scheduled server task (or run directly by an unsuspecting administrator). Furthermore, since an attacker could use the information in the scripts (filenames and contents) to gain information about the server (the physical web root, for example), non-Administrative users should not have even "Reader" access to this database. 6. Contact Information Rapid 7 Security Advisories Email: advisory@rapid7.com Web: http://www.rapid7.com/ Phone: +1 (212) 558-8700 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.7 (OpenBSD) iD8DBQE9ePpDcL76DCfug6wRAkGyAJ9TmiVLzxabeot55ua0lqh4G1sp/QCeIvXv JgKsMUbOMMQSJiB4vsqPPsU= =iqgl -----END PGP SIGNATURE-----