Rapid7 Vulnerability & Exploit Database

Lotus Notes/Domino Anonymous Access to ZMerge 4.x Administration database

Back to Search

Lotus Notes/Domino Anonymous Access to ZMerge 4.x Administration database

Severity
8
CVSS
(AV:N/AC:L/Au:N/C:P/I:P/A:P)
Published
10/04/2002
Created
07/25/2018
Added
11/01/2004
Modified
12/04/2013

Description

ZMerge is a Lotus Notes/Domino tool for mapping data between Lotus Notes databases and structured data files. It runs on Windows NT/2k/XP/9x. By default, The ZMerge administration database grants Manager access to all users (including anonymous web users). If the administrator neglects to change the database ACLs to something more appropriate, an unauthorized user could modify the data import/export scripts and therefore read and write arbitrary files on the server.

The ZMerge administration database (/zmevladm.nsf) contains the data import/export scripts used with ZMerge. The scripts are interpreted by the ZMerge program on the server, allowing scripts to read and write arbitrary files on the server. Several example scripts are included by default.

While the ZMerge administration database allows users to run scripts from within Notes, it is NOT possible for an attacker to run scripts directly from a web client, because the database makes use of the Notes formula language "@Function", which cannot run in the web context. However, a web user could still read and modify existing scripts which may then be run as part of an agent or scheduled server task (or run directly by an unsuspecting administrator).

Furthermore, since an attacker could use the information in the scripts (filenames and contents) to gain information about the server (the physical web root, for example), non-Administrative users should not have even "Reader" access to this database.

Solution(s)

  • disable-anonymous-default-notes-acl

With Rapid7 live dashboards, I have a clear view of all the assets on my network, which ones can be exploited, and what I need to do in order to reduce the risk in my environment in real-time. No other tool gives us that kind of value and insight.

– Scott Cheney, Manager of Information Security, Sierra View Medical Center

;