Unauthorized Users May Be Able to See Through Redactions By Copying a Page from the Redacted Document to Another Document on Which They are Able to See Through Redactions.

December 11, 2006 | KB: 1011713
Laserfiche Server - Team (MSDE) 7, Laserfiche Server - United (MS SQL) 7, Laserfiche Server - United (Oracle) 7

Summary

A user that does not have the ability to see through redactions can never make a copy of that document. However, Laserfiche did not correctly prevent that user from copying individual pages.

Resolution

There is a hotfix available for Laserfiche Server 7.2.1. The fix includes the following files:

  • LFEng.dll (version 7.2.1.410)
  • 28581.sql (Microsoft SQL Server SQL Script)
  • LFS_body.sql (Oracle SQL script)
  • LFS_spec.sql (Oracle SQL script)

Replace and register the updated LFEng.dll. Then run the appropriate SQL scripts for your type of DBMS.

After updating Laserfiche Server, a user that does not have the ability to see through redactions:

  • Will be unable to create a copy of a document if the document contains any redactions.
  • Will be unable to copy any pages of a document if the document contains any redactions.

If a user also does not have the ability to see annotations, that user will be able to copy pages in a document that contains annotations, however, no annotations will be copied.

To update Laserfiche Server 7.2.1

  1. Stop the Laserfiche Server service.
    1. Click Start and click Control Panel.
    2. Double-click Administrative Tools.
    3. Double-click Services.
    4. Scroll down and select Laserfiche Server 7.2.
    5. From the Action menu, click Stop.
  2. Click the following link to download a zip file containing the hotfix.
    Hotfix_SCR28581.zip
  3. Extract the contents of the archive to a temporary location.
  4. Replace the existing version of LFEng.dll located in your Laserfiche Server installation folder with the version included in the zip file. By default, the Laserfiche Server is installed at "C:\Program Files\Laserfiche\Server."
  5. Perform one of the following:
    • Microsoft SQL Server: Run the 28581.sql script on your database.
      1. Click Start and then click Run.
      2. In the Run dialog box, type the following and click OK to run the script.

        osql -E -S SQLInstance -d DatabaseName -i PathToScript.

        SQLInstance is the name of your SQL server.

        DatabaseName is the name of the SQL database associated with your Laserfiche repository.

        PathToScript is the full path (including the file name and extension) to the extracted 28581.sql file.

    • Oracle: Run the LFS_body.sql and LFS_spec.sql scripts.
      1. Click Start and then click Run.
      2. In the Run dialog box, type the following and click OK to load a command prompt.

        cmd

      3. Browse to the temporary location where you extracted the contents of the downloaded zip file.
      4. Type the following and press ENTER to run SQL*Plus.

        sqlplus UserName/Password@SchemaName

      5. In the resulting prompt, type the following:

        @LFS_spec.sql

      6. Repeat the above steps with LFS_body.sql.

        Note: You must apply LFS_spec.sql first prior to applying LFS_body.sql.

  6. Restart the Laserfiche Server service.
    1. Click Start and click Control Panel.
    2. Double-click Administrative Tools.
    3. Double-click Services.
    4. Scroll down and select Laserfiche Server 7.2.
    5. From the Action menu, click Restart.

Related Links

Please see the following Knowledge Base article for information on another hotfix included in LFEng.dll (version 7.2.1.410).

1011712 Laserfiche Creates Low-Resolution Thumbnail Images.