[VulnWatch] Novell GroupWise 6.5 Clear Text Vulnerability

From: Adam Gray (agray_at_novacoast.com)
Date: 08/01/03

  • Next message: KF: "[VulnWatch] SRT2003-08-01-0126 - cdrtools-2.x local root exploit"
    Date: Thu, 31 Jul 2003 17:13:43 -0700
    To: <full-disclosure@lists.netsys.com>, <bugtraq@securityfocus.com>, <vulnwatch@vulnwatch.org>
    
    

    Novacoast Security Advisory
    Novell GroupWise 6.5 Vulnerability

    Synopsis:
    Novacoast has discovered a vulnerability in the Novell GroupWise 6.5 Wireless Webaccess logging functionality. The software exposes all username and passwords within the log file in clear text. This information could be used to impersonate other users and allow unauthorized access to mail or network resources.

    Description:
    A key component of the Novell Nterprise* family of one Net solutions, Novell® GroupWise® 6.5 is a cross-platform collaboration product that enables you to work smarter alone and with others over any type of network*wired to wireless, including the Internet. In addition to integrated e-mail and scheduling services, GroupWise offers task-, contact- and document-management services that increase productivity. GroupWise also delivers secure instant messaging, tools that help you manage daily activities more efficiently and extensive mobile-access capabilities. In a nutshell, this innovative, open standards-based approach to collaboration services provides security, control and mobility while increasing user productivity and reducing the cost of managing and maintaining your organization's essential communication and collaboration services.

    Affected Version:
    Novell GroupWise 6.5 Webaccess
    Novell GroupWise Wireless Web Access
    Novell Linux/Mac Beta Client
    NetWare 5/6
    Apache 1.3.x

    Exploit:
    None required
    Open sys:\apache\logs\access_log
    Passwords are listed as part of the url. the are preceded with username=****&password=****

    Recommended Solution:
    Upgrade to Novell GroupWise 6.5 sp1

    Status:
    This bug has been submitted to, acknowledged by, and a fix has been created and included with the latest service pack for Novell GroupWise 6.5. It can be downloaded from:
    http://support.novell.com

    Additional information can be found at the following location:
    http://support.novell.com/cgi-bin/search/searchtid.cgi?/10085583.htm

    Disclaimer:
    Novacoast accepts no liability or responsibility for the
    content of this report, or for the consequences of any
    actions taken on the basis of the information provided
    within. Dissemination of this information is granted
    provided it is presented in its entirety. Modifications
    may not be made without the explicit permission of
    Novacoast.

    Adam Gray
    CTO
    Novacoast, Inc.
    agray@novacoast.com
    http://www.novacoast.com


  • Next message: KF: "[VulnWatch] SRT2003-08-01-0126 - cdrtools-2.x local root exploit"

    Relevant Pages