ZMerge is a Lotus Notes/Domino tool for mapping data between Lotus Notes
databases and structured data files. It runs on Windows NT/2k/XP/9x.
By default, The ZMerge administration database grants Manager access to
all users (including anonymous web users). If the administrator
neglects to change the database ACLs to something more appropriate, an
unauthorized user could modify the data import/export scripts and
therefore read and write arbitrary files on the server.
The ZMerge administration database (/zmevladm.nsf) contains the data import/export
scripts used with ZMerge. The scripts are interpreted by the ZMerge
program on the server, allowing scripts to read and write arbitrary
files on the server. Several example scripts are included by default.
While the ZMerge administration database allows users to run scripts
from within Notes, it is NOT possible for an attacker to run scripts
directly from a web client, because the database makes use of the
Notes formula language "@Function", which cannot run in the web
context. However, a web user could still read and modify existing
scripts which may then be run as part of an agent or scheduled server
task (or run directly by an unsuspecting administrator).
Furthermore, since an attacker could use the information in the scripts
(filenames and contents) to gain information about the server (the
physical web root, for example), non-Administrative users should not
have even "Reader" access to this database.