Spotlight | Reviews | Current Issue | Newsletter | Subscribe | Contact |
Departments

Partner Links
Website builder
WinWeb OnlineOffice
Shopping and price comparison with product reviews at dooyoo.co.uk

user friendly

CeBIT 2010

High-class talks around the clock in the Forum, non-commercial projects presenting their work, new developments at the largest IT fair in the world, CeBIT Open Source 2010 in Hanover, Germany.

Visit them in hall 2, March 2-6 or here.

  linux-magazine.com » Online » News » Mail Theft Possible from GroupWise Web Interface  

Print this page. Recommend
Slashdot it! Delicious Share on Facebook Tweet! Digg

Mail Theft Possible from GroupWise Web Interface

Security tester ProCheckUp has found critical bugs in Novell's GroupWise WebAccess that could allow e-mail theft.

The possible attack on the Web-based groupware stems from cross-site request forgery (CSRF) in which a forged HTTP request configured in the software under the user's authentication can send a new rule to mail forwarding (CVE-2009-0272). The attacker could then forward the user's mail to an account of the attacker's choice. To fall into this trap, the user needs only visit a website, click a link or open HTML mail prepared with the attacker's CSRF. With the new rule in place, the user could face a perpetual security threat.

ProCheckUp will release details of the sample attacker code (or "proof of concept") only after consulting with Novell and having a resolution on hand.

The security hole affects GroupWise versions 6.5x, 7.0, 7.01, 7.02x, 7.03 and 8.0. Novell has issued patches on its support website, at least for version 7.x and later. For end-of-life version 6.5x an upgrade is required to 7.03 or 8.0.

ProCheckUp also found two attack windows for cross-site scripting (XSS) in the above-mentioned GroupWise versions. An attacker can slip scripting code into HTML mail or attachments that could inflict (in the first case) temporary or (in the second case) permanent harm, with possible identity theft (CVE-2009-0273). Novell has also posted two separate hot patches (first and second) for these bugs on their support site.

(Mathias Huber)

Comments


Print this page. Recommend
Slashdot it! Delicious Share on Facebook Tweet! Digg
Related Articles
Novell Nixes BrainShare
Novell Offered Takeover Proposal
openSUSE 11.1 Unveiled
Progress with openSUSE 11.3
Simple Groupware 0.500 with Offline Mode and Diagrams
What Means openSUSE? Trademark Guidelines
FREE Live Streaming Video from ApacheCon US 2009

Watch our free Video Archive from Apachecon US 2009. Archive provided by The Apache Foundation, COLLABNET, and Linux Pro Magazine

Drawing internationally renowned thought-leaders, contributors, and organizations in the Open Source community, ApacheCon offers insight into the culture and community that develops and shepherds industry-leading Open Source projects, including Apache HTTP Server – the world's most popular Web server software for more than 10 years.

Find out more

 

In the US and Canada, Linux Magazine is known as Linux Pro Magazine.
Entire contents © 2010 [Linux New Media USA, LLC]
Linux New Media web sites:
North America: [Linux Pro Magazine]
UK/Worldwide: [Linux Magazine]
Germany: [Linux-Magazin] [LinuxUser] [EasyLinux] [Linux-Community] [Linux Technical Review]
Eastern Europe: [Linux Magazine Poland] [Linux Community Poland]
International: [Linux Magazine Brazil] [EasyLinux Brazil] [Linux Magazine Spanish]
Corporate: [Linux New Media AG]