GroupWise 6 WebAccess Security Fix
Novell Cool Solutions: Feature
Digg This -
Posted: 16 Oct 2001
Versions: GroupWise 5.5 EP, GroupWise 6
An issue has been discovered in the WebAccess component of Novell GroupWise version 5.5 Enhancement Pack and Novell GroupWise 6, that could potentially allow a malicious user to view files on a Web Server running the GroupWise WebAccess system. This issue is located within the Java components of GroupWise WebAccess.
A malicious user has the ability to view files on a Web Server that has the GroupWise WebAccess application installed and running by manipulating the URL generated by the WebAccess application.
The malicious user MUST know the EXACT PATH AND FILENAME when typing in the URL, the flaw does not allow direct browsing of the file or directory structure on the server.
Because of the inherently secure nature of the Novell GroupWise WebAccess architecture, the system is still very secure. The following is a list of actions that a malicious user CANNOT perform:
- Can't modify, rename, move or delete any file in any way
- Can't affect the running of the Web Server in any way
- Can't affect any process running on the Web Server in any way
- Can't read any files on any other Web or Network Server
- Can't access or read the contents of any mailbox in any way
See TID 2960443 to download the fix.
- Extract the file gw6wasf.exe.
- Rename the current file on the server and then replace it with the patched file:
(If running on NT or NetWare you should copy it to the directory in which you installed this file orginally.)
- Unload the WebAccess/WebPublisher Servlet and reload it with the new file in place.
Novell Cool Solutions (corporate web communities) are produced by WebWise Solutions. www.webwiseone.com