compulink-laserfiche-passwd.txt

`Date: Thu, 28 Jan 1999 10:21:55 -0800  
From: Darren Rogers <[email protected]>  
To: [email protected]  
Subject: Compulink LaserFiche Client/Server - unencrypted passwords  
  
Background:  
LaserFiche is a popular client-server imaging system, which  
according to their website, 'is the trusted imaging system used by  
Fortune 1000 corporations and government agencies around the world.  
There are numerous law enforcement agencies using this software for  
records sotrage and retreival.  
  
Problem:  
In the NetWare based version (4.1 and 4.2), the user list and  
ACLs are stored in Btreive tables. Usernames, passwords, and group  
membership information is stored completely unencrypted in these  
tables, giving full access to anyone who can figure out how to open a  
Btreive table. Administrative changes can also be made to these  
tables without any logging, or control (normally an 'admin' user would  
have to add and delte users and change access levels).  
Big deal, it's client server, so clients don't need to have  
access to those tables. True, but... this product's 'security' and  
auditing abilites are often trusted by the court system to provide  
proof as to who created, viewed, or deleted a record (records  
management laws are very strict!). The legal ramifications are pretty  
ugly (lowly net-admins being valled to testify in court, etc.)  
  
Work-around:  
All LaserFiche tables should be secured (being client-server,  
users do NOT need to have any NetWare rights to the tables, or data  
store) from all users except the responsible records manager. Use  
NetWare's auditing feature in addition to the LF stuff to ensure that  
no direct access is made to said tables.  
At last contact, the company had no desire to fix this hole.  
  
`