Security Vulnerability: GroupWise Client for Windows Cross-site Scripting (XSS) Vulnerability
This document (7012063) is provided subject to the disclaimer at the end of this document.
GroupWise Client for Windows 2012 up to and including 12.0.1 HP1
To block the ability to run scripts within the GroupWise client for Windows, administrators will need to update their GroupWise clients to version 8.0.3 Hot Patch 3 (or later) or 2012 Support Pack 2 (or later) AND do the following steps:
- Create a new DWORD (32-bit) registry value under HKEY_CURRENT_USER\Software\Novell\GroupWise\Client\Setup\
- Enter "HTMLScriptsBlocked" (minus the quotes) in the "Value name" field
- Enter "1" (minus the quotes) in the "Value data" field"
- Click OK to save the new DWORD value
With the new HTMLScriptsBlocked registry entry added to Windows, the GroupWise client will still display the yellow script warning, but if the user clicks on the warning message, the script will not run. NOTE, adding this registry key to a Windows workstation will prevent ALL scripts from running within the GroupWise client, not just malicious scripts.
This vulnerability was discovered and reported by Bartlomiej Balcerek at Wroclaw Centre for Networking and
Novell bug 799673, CVE-2013-1087
Previous versions (GroupWise, 6.5, 7.x) of the GroupWise Client for Windows are likely also vulnerable but are no longer supported. Customers on earlier versions of GroupWise should, at a minimum, upgrade their GroupWise Windows clients to version 8.0.3 Hot Patch 3 or 2012 SP2 in order to secure their systems.
This Support Knowledgebase provides a valuable tool for NetIQ/Novell/SUSE customers and parties interested in our products and solutions to acquire information, ideas and learn from one another. Materials are provided for informational, personal or non-commercial use within your organization and are presented "AS IS" WITHOUT WARRANTY OF ANY KIND.
- Document ID:7012063
- Creation Date:02-APR-13
- Modified Date:16-APR-13
Did this document solve your problem? Provide Feedback