Mail Theft Possible from GroupWise Web Interface

Feb 02, 2009

Security tester ProCheckUp has found critical bugs in Novell's GroupWise WebAccess that could allow e-mail theft.

The possible attack on the Web-based groupware stems from cross-site request forgery (CSRF) in which a forged HTTP request configured in the software under the user's authentication can send a new rule to mail forwarding (CVE-2009-0272). The attacker could then forward the user's mail to an account of the attacker's choice. To fall into this trap, the user needs only visit a website, click a link or open HTML mail prepared with the attacker's CSRF. With the new rule in place, the user could face a perpetual security threat.

ProCheckUp will release details of the sample attacker code (or "proof of concept") only after consulting with Novell and having a resolution on hand.

The security hole affects GroupWise versions 6.5x, 7.0, 7.01, 7.02x, 7.03 and 8.0. Novell has issued patches on its support website, at least for version 7.x and later. For end-of-life version 6.5x an upgrade is required to 7.03 or 8.0.

ProCheckUp also found two attack windows for cross-site scripting (XSS) in the above-mentioned GroupWise versions. An attacker can slip scripting code into HTML mail or attachments that could inflict (in the first case) temporary or (in the second case) permanent harm, with possible identity theft (CVE-2009-0273). Novell has also posted two separate hot patches (first and second) for these bugs on their support site.

Related content

  • Novell Acquires Teamwork Specialists Sitescape

    Novell today announced it has acquired SiteScape, a leader in open source team collaboration, in a move that will create interoperable, open source and open standards-based workspaces for team productivity.SiteScape, the founder of the ICEcore open source collaboration project, brings impressive team workspace and real-time collaboration capabilities to Novell.

  • Apt-Dater 0.7 for Mass Remote Updates

    The remote package update manager program apt-dater is now available in version 0.7. It performs software updates on a mass of remote hosts.

  • Brainshare 2008

    Novell vendors, developers, and users exchanged metaphors and business cards in Salt Lake City.

  • Password Theft at

    The Typo3 Association is warning users with accounts at of a possible misuse of stored data.

  • Novell Acquires Specialist for Security Management

    Novell is extending its portfolio of enterprise management solutions with its acquisition of Senforce Technologies, an endpoint security management specialist.

comments powered by Disqus