COMMAND

    Compulink LaserFiche Client/Server

SYSTEMS AFFECTED

    Systems running Compulink LaserFiche Client/Server

PROBLEM

    Darren  Rogers   found  following.    LaserFiche   is  a   popular
    client-server imaging  system, which  according to  their website,
    'is the trusted imaging  system used by Fortune  1000 corporations
    and government agencies around the world.  There are numerous  law
    enforcement agencies using this  software for records sotrage  and
    retreival.  In the NetWare  based version (4.1 and 4.2),  the user
    list and ACLs are stored in Btreive tables.  Usernames, passwords,
    and group membership information is stored completely  unencrypted
    in these tables, giving full  access to anyone who can  figure out
    how to open a Btreive  table.  Administrative changes can  also be
    made to these tables without any logging, or control (normally  an
    'admin' user would have to add and delete users and  change access
    levels).  Big deal, it's  client server, so clients don't  need to
    have  access  to  those  tables.   True,  but...  this   product's
    'security' and auditing  abilites are often  trusted by the  court
    system to provide  proof as to  who created, viewed,  or deleted a
    record  (records  management  laws  are  very strict!).  The legal
    ramifications are  pretty ugly  (lowly net-admins  being valled to
    testify in court, etc.).

SOLUTION

    All  LaserFiche  tables  should  be  secured (being client-server,
    users do NOT  need to have  any NetWare rights  to the tables,  or
    data store) from all users except the responsible records manager.
    Use NetWare's  auditing feature  in addition  to the  LF stuff  to
    ensure that  no direct  access is  made to  said tables.   At last
    contact, the company had no desire to fix this hole.