Date: Thu, 28 Jan 1999 10:21:55 -0800 From: Darren Rogers To: BUGTRAQ@netspace.org Subject: Compulink LaserFiche Client/Server - unencrypted passwords Background: LaserFiche is a popular client-server imaging system, which according to their website, 'is the trusted imaging system used by Fortune 1000 corporations and government agencies around the world. There are numerous law enforcement agencies using this software for records sotrage and retreival. Problem: In the NetWare based version (4.1 and 4.2), the user list and ACLs are stored in Btreive tables. Usernames, passwords, and group membership information is stored completely unencrypted in these tables, giving full access to anyone who can figure out how to open a Btreive table. Administrative changes can also be made to these tables without any logging, or control (normally an 'admin' user would have to add and delte users and change access levels). Big deal, it's client server, so clients don't need to have access to those tables. True, but... this product's 'security' and auditing abilites are often trusted by the court system to provide proof as to who created, viewed, or deleted a record (records management laws are very strict!). The legal ramifications are pretty ugly (lowly net-admins being valled to testify in court, etc.) Work-around: All LaserFiche tables should be secured (being client-server, users do NOT need to have any NetWare rights to the tables, or data store) from all users except the responsible records manager. Use NetWare's auditing feature in addition to the LF stuff to ensure that no direct access is made to said tables. At last contact, the company had no desire to fix this hole.