Date: Thu, 28 Jan 1999 10:21:55 -0800
From: Darren Rogers <DROGERS@CI.SIMI-VALLEY.CA.US>
To: BUGTRAQ@netspace.org
Subject: Compulink LaserFiche Client/Server - unencrypted passwords

Background:
        LaserFiche is a popular client-server imaging system, which
according to their website, 'is the trusted imaging system used by
Fortune 1000 corporations and government agencies around the world.
There are numerous law enforcement agencies using this software for
records sotrage and retreival.

Problem:
        In the NetWare based version (4.1 and 4.2), the user list and
ACLs are stored in Btreive tables.  Usernames, passwords, and group
membership information is stored completely unencrypted in these
tables, giving full access to anyone who can figure out how to open a
Btreive table.  Administrative changes can also be made to these
tables without any logging, or control (normally an 'admin' user would
have to add and delte users and change access levels).
        Big deal, it's client server, so clients don't need to have
access to those tables.  True, but... this product's 'security' and
auditing abilites are often trusted by the court system to provide
proof as to who created, viewed, or deleted a record (records
management laws are very strict!).  The legal ramifications are pretty
ugly (lowly net-admins being valled to testify in court, etc.)

Work-around:
        All LaserFiche tables should be secured (being client-server,
users do NOT need to have any NetWare rights to the tables, or data
store) from all users except the responsible records manager.  Use
NetWare's auditing feature in addition to the LF stuff to ensure that
no direct access is made to said tables.
        At last contact, the company had no desire to fix this hole.