Security hole in TMS/SMS

standby (standby@SELF.DESTRUCTIVE.ORG)
Fri, 03 Apr 1998 14:27:36 -0700

Note:
-----
This bug has been shown to RMS Systems, maker of the products in question.
Also excuse my lack of formatting the text, usually only follow groups.

What product:
-------------
This hole is found in the Training Management Software and Safety
Management Software by RMS Systems. The hole can be found in the Win. 3.1
& 95 versions, even in the latest update 2.5 (Hasn't been tested on the
DOS version, though it is out of date and shouldn't be in circulation)

The problem:
------------
Both of the above mentioned software packages, TMS & SMS, contain a major
security hole. First to explain the software it self:
- The TMS is to help a company track which courses need to be
given to which employee and when to rescedual etc.
- The SMS is a program for tracking inicidents of injury etc in a
company. It also has capabilities for printing out the OSHA 200
forms.
Both of these software packages have the capabilitie to give different
access levels to different users. Doing so you can restrict people to what
they can see, for example other employee's address, phone number, and even
their Social Security number. This is where the bug is.
Any level user can access the personal data of any one by simply going to
the report screen, and running the Employee List Form. Though this doesn't
have all that information, one can use the built in Basic Report Writer to
create a custom report which has any and all information you desire about
anyone in the database.

Prevention:
-----------
Only have the ADMIN account active, and delete all other accounts to the
program. Basically the only way of prevention untill the 3.0 update comes
out (which they plan on releasing begining next year.)

-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
standby@destructive.org - http://www.destructive.org
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-