[NEWS] Granite Software ZMerge Administration Database Insecure Default ACLs

From: support@securiteam.com
Date: 09/08/02

• Previous message: support@securiteam.com: "[NEWS] NETGEAR FM114P URL Filter Bypassing Vulnerability"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

From: support@securiteam.com
To: list@securiteam.com
Date: Sun,  8 Sep 2002 14:24:53 +0200 (CEST)

The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

When was the last time you checked your server's security?
How about a monthly report?
http://www.AutomatedScanning.com - Know that you're safe.
- - - - - - - - -

  Granite Software ZMerge Administration Database Insecure Default ACLs
------------------------------------------------------------------------

SUMMARY

 <http://www.gsw.com/> ZMerge is a Lotus Notes/Domino tool for mapping
data between Lotus Notes databases and structured data files. It runs on
32-bit MS Windows. By default, the ZMerge administration database grants
Manager access to all users (including anonymous web users). If the
administrator neglects to change the database ACLs to something more
appropriate, an unauthorized user could modify the data import/export
scripts that might then be run by an administrator or scheduled agent.
Note that while anonymous web users can read and modify all scripts, they
cannot run scripts interactively over the web.

DETAILS

Vendor status and information:
Granite Software was notified on June 12, 2002. They have acknowledged the
issue and agreed to address it in future revisions of ZMerge by shipping
with a more secure default database ACL. They will also include
documentation that includes ACL considerations for the review by the
administrator.

Solution:
Select the ZMerge administrator database (either zm50adm.nsf or
zmevladm.nsf depending on which version of ZMerge you have). Change the
access level for Default and Anonymous to "No Access".

If this information is not critical for distribution to other domains,
also restrict access for OtherDomainServers to "No Access".

For every entry that you have set to "No Access", verify that "Read public
documents" and "Write public documents" are unchecked. If not, access will
still be permitted for any public documents (the database "About"
document, etc.).

While not as important, you should repeat this step for all of the ZMerge
documentation and sample databases, including zmguide.nsf, zmlookup.nsf,
and zmsamp*.nsf. Better yet, delete these databases when you are finished
using them.

Detailed analysis:
The ZMerge administration database contains the data import/export scripts
used with ZMerge. The scripts are interpreted by the ZMerge program on the
server, allowing scripts to read and write arbitrary files on the server.
Several example scripts are included by default.

While the ZMerge administration database allows users to run scripts from
within the Notes client, it is NOT possible for an attacker to run scripts
directly from a web client, because the database makes use of the Notes
formula language "@ functions", which cannot run in the web context.
However, a web user could still read and modify existing scripts that may
then be run as part of an agent or scheduled server task (or run directly
by an unsuspecting administrator).

Furthermore, since an attacker could use the information in the scripts
(filenames and contents) to gain information about the server (the
physical web root, for example), non-Administrative users should not have
even "Reader" access to this database.

ADDITIONAL INFORMATION

The information has been provided by <mailto:advisory@rapid7.com> Rapid 7
Security Advisories.

========================================

This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

====================
====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

---

• Previous message: support@securiteam.com: "[NEWS] NETGEAR FM114P URL Filter Bypassing Vulnerability"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

Relevant Pages Re: Having Trouble with Setting Variable and/or Get(DesktopPath) Script Step ... via FM Server to a mixed-platform environment. ... of the troubled scripts is as follows... ... Commit Records ... on any of several Windows machines even when the database is located ... (comp.databases.filemaker) Having Trouble with Setting Variable and/or Get(DesktopPath) Script Step ... via FM Server to a mixed-platform environment. ... of the troubled scripts is as follows... ... Commit Records ... on any of several Windows machines even when the database is located ... (comp.databases.filemaker) Re: Having Trouble with Setting Variable and/or Get(DesktopPath) Script Step ... via FM Server to a mixed-platform environment. ... text and Excel files to the desktop that work just fine ... of the troubled scripts is as follows... ... on any of several Windows machines even when the database is located ... (comp.databases.filemaker) Rapid 7 Advisory R7-0005: ZMerge Insecure Default ACLs ... Granite Software ZMerge Administration Database Insecure Default ACLs ... and modify all scripts, they cannot run scripts interactively over ... (Bugtraq) [VulnWatch] Rapid 7 Advisory R7-0005: ZMerge Insecure Default ACLs ... Granite Software ZMerge Administration Database Insecure Default ACLs ... and modify all scripts, they cannot run scripts interactively over ... (VulnWatch)

---

We are proud to have Web Hosting and Rack Housing from 9 Net Avenue Deutschland.
(10)