COMMAND

    Training Management Software and Safety Management Software

SYSTEMS AFFECTED

    Win systems running software above

PROBLEM

    'standby' found  following.   This hole  is found  in the Training
    Management Software and Safety Management Software by RMS Systems.
    The hole can be found in the  Win. 3.1 & 95 versions, even in  the
    latest update 2.5 (Hasn't been  tested on the DOS version,  though
    it is out of date and shouldn't be in circulation).

    Both of the above mentioned software packages, TMS & SMS,  contain
    a major security hole. First to explain the software itself:

        - The TMS is to help a company track which courses need to  be
          given to which employee and when to rescedual etc.
        - The SMS is a  program for tracking inicidents of  injury etc
          in a company.  It also has capabilities for printing out the
          OSHA 200 forms.

    Both  of  these  software  packages  have  the capabilitie to give
    different access  levels to  different users.   Doing so  you  can
    restrict people to what they can see, for example other employee's
    address, phone number, and even their Social Security number. This
    is where the bug is.  Any level user can access the personal  data
    of any one by simply going  to the report screen, and running  the
    Employee  List   Form.   Though   this  doesn't   have  all   that
    information,  one  can  use  the  built  in Basic Report Writer to
    create  a  custom  report  which  has  any and all information you
    desire about anyone in the database.

SOLUTION

    This bug has been shown to  RMS Systems, maker of the products  in
    question.   Only have  the ADMIN  account active,  and delete  all
    other  accounts  to  the  program.   Basically  the  only  way  of
    prevention untill  the 3.0  update comes  out (which  they plan on
    releasing begining next year.)