Environment
Novell GroupWise WebAccess 7
Novell GroupWise WebAccess 6.5
Situation
Cross-site scripting vulnerability in WebAccess.
An outside security researcher reported a cross-site scripting
vulnerability in GroupWise WebAccess.
In certain circumstances, the filter of GroupWise doesn't
check UTF-7 encoding, and does not sanitize some code that might
allow this vulnerability.
These vulnerabilities may allow for the theft of
authentication credentials when an email is sent with some specific
html code that would allow to run java scripts.
Resolution
This has been fixed in any build of GroupWise 7 WebAccess
dated after July 27, 2006.
This has been fixed in any build of GroupWise 6.5 WebAccess
dated after July 27, 2006.
Hot Patch for GroupWise 7 are available here: https://support.novell.com/filefinder/20641/beta.html
Field Test File for GroupWise 6.5 are available here: https://support.novell.com/filefinder/16963/beta.html
Status
Security AlertAdditional Information
Vulnerability discovered by:
Francisco Amato
[ISR] Infobyte Security Research.
This vulnerability has been assigned the identifier
CVE-2006-3817 by the CVE database.