• Nexpose
  • Overview
  • Features
  • Architecture & Open API
  • Try NeXpose
  • Buy NeXpose
  • System Requirements
  • Vulnerabilities Tested
  • NeXpose Information
• Solutions
  • Web Application VA
  • Database VA
  • Network & OS VA
  • Compliance Scanning
• Services
  • PCI Compliance Testing
  • Penetration Testing
  • Web Application Security Audits
  • Best Practices Consulting
  • Social Engineering
  • NeXpose Training
• Support
  • NeXpose FAQ
  • System Requirements
  • Support Form
  • Vulnerabilities Tested
  • Customer Center Login
• Security Center
  • Advisories
  • Vulnerabilities Tested
  • Compliance
  • White Papers & Articles
  • SSHredder Test Suite
• Company
  • Management
  • Board of Directors
  • Investors
  • Customers
  • Partners
  • Press Room
  • Events
  • Careers
• Customers

• Advisories
• Vulnerabilities Tested
• Compliance
• White Papers & Articles
• SSHredder Test Suite

_______________________________________________________________________
                     Rapid7, LLC Security Advisory
            Visit http://www.rapid7.com/ to download NeXpose,
        SC Magazine Winner of Best Vulnerability Management product.
_______________________________________________________________________


   Rapid7 Advisory R7-0005
    Granite Software ZMerge Administration Database Insecure Default ACLs

   Published:  September 6, 2002
   Revision:   1.0
   CVE ID:     CAN-2002-0664
   Bugtraq ID: 5101

1. Affected system(s):

   KNOWN VULNERABLE:
    o ZMerge 4.x
    o ZMerge 5.x

2. Summary

   ZMerge is a Lotus Notes/Domino tool for mapping data between Lotus
   Notes databases and structured data files.  It runs on 32-bit MS
   Windows. By default, the ZMerge administration database grants
   Manager access to all users (including anonymous web users).  If
   the administrator neglects to change the database ACLs to something
   more appropriate, an unauthorized user could modify the data
   import/export scripts which might then be run by an administrator
   or scheduled agent.  Note that while anonymous web users can read
   and modify all scripts, they cannot run scripts interactively over
   the web.

3. Vendor status and information

   ZMerge
   Granite Software
   http://www.gsw.com

   Granite Software was notified on June 12, 2002.  They have
   acknowledged the issue and agreed to address it in future revisions
   of ZMerge by shipping with a more secure default database ACL.
   They will also include documentation that includes ACL
   considerations for the review by the administrator.

4. Solution

   Select the ZMerge administrator database (either zm50adm.nsf or
   zmevladm.nsf depending on which version of ZMerge you have).  Change
   the access level for Default and Anonymous to "No Access".

   If this information is not critical for distribution to other
   domains, also restrict access for OtherDomainServers to "No Access".

   For every entry that you have set to "No Access", verify that
   "Read public documents" and "Write public documents" are
   unchecked.  If not, access will still be permitted for any public
   documents (the database About document, etc.).

   While not as important, you should repeat this step for all of the
   ZMerge documentation and sample databases, including zmguide.nsf,
   zmlookup.nsf, and zmsamp*.nsf.  Better yet, delete these databases
   when you are finished using them.

5. Detailed analysis

   The ZMerge administration database contains the data import/export
   scripts used with ZMerge.  The scripts are interpreted by the ZMerge
   program on the server, allowing scripts to read and write arbitrary
   files on the server.  Several example scripts are included by default.

   While the ZMerge administration database allows users to run scripts
   from within the Notes client, it is NOT possible for an attacker to
   run scripts directly from a web client, because the database makes use
   of the Notes formula language "@ functions", which cannot run in the web
   context.  However, a web user could still read and modify existing
   scripts which may then be run as part of an agent or scheduled server
   task (or run directly by an unsuspecting administrator).

   Furthermore, since an attacker could use the information in the scripts
   (filenames and contents) to gain information about the server (the
   physical web root, for example), non-Administrative users should not
   have even "Reader" access to this database.

6. Contact Information

   Rapid7 Security Advisories
   Email:  advisory@rapid7.com
   Web:    http://www.rapid7.com/
   Phone:  +1 (212) 558-8700

7. Disclaimer and Copyright

    Rapid7, LLC is not responsible for the misuse of the information
    provided in our security advisories. These advisories are a service
    to the professional security community.  There are NO WARRANTIES
    with regard to this information. Any application or distribution of
    this information constitutes acceptance AS IS, at the user's own
    risk.  This information is subject to change without notice.

    This advisory Copyright (C) 2002 Rapid7, LLC.  Permission is
    hereby granted to redistribute this advisory in electronic media
    only, providing that no changes are made and that the copyright
    notices and disclaimers remain intact.  This advisory may not be
    printed or distributed in non-electronic media without the
    express written permission of Rapid7, LLC.

Copyright © 2001 - 2008, Rapid7, LLC. All Rights Reserved.

• Home
• |
• Nexpose
• |
• Solutions
• |
• Services
• |
• Support
• |
• Security Center
• |
• Company
• |
• Contact