Re: Novell GroupWise 6.5 Clear Text Vulnerability

["Ryan Nelson" <ryann () village gurnee il us>]

This part from the TID is kind of important:

GroupWise Webaccess users using their desktop or laptop computers do NOT have this problem. 
Only happens with WML & HDML. 
Only happens when using Wireless Phones


Ryan


> > > "Adam Gray" <agray () novacoast com> 7/31/2003 7:13:43 PM >>>
Novacoast Security Advisory
Novell GroupWise 6.5 Vulnerability

Synopsis:
Novacoast has discovered a vulnerability in the Novell GroupWise 6.5 Wireless Webaccess logging functionality. The 
software exposes all username and passwords within the log file in clear text.  This information could be used to 
impersonate other users and allow unauthorized access to mail or network resources.

Description:
A key component of the Novell Nterprise* family of one Net solutions, Novell® GroupWise® 6.5 is a cross-platform 
collaboration product that enables you to work smarter alone and with others over any type of network*wired to 
wireless, including the Internet. In addition to integrated e-mail and scheduling services, GroupWise offers task-, 
contact- and document-management services that increase productivity. GroupWise also delivers secure instant messaging, 
tools that help you manage daily activities more efficiently and extensive mobile-access capabilities. In a nutshell, 
this innovative, open standards-based approach to collaboration services provides security, control and mobility while 
increasing user productivity and reducing the cost of managing and maintaining your organization's essential 
communication and collaboration services.

Affected Version:
Novell GroupWise 6.5 Webaccess
Novell GroupWise Wireless Web Access
Novell Linux/Mac Beta Client
NetWare 5/6
Apache 1.3.x

Exploit:
None required
Open sys:\apache\logs\access_log
Passwords are listed as part of the url. the are preceded with username=****&password=****

Recommended Solution:
Upgrade to Novell GroupWise 6.5 sp1

Status:
This bug has been submitted to, acknowledged by, and a fix has been created and included with the latest service pack 
for Novell GroupWise 6.5. It can be downloaded from:
http://support.novell.com 

Additional information can be found at the following location:
http://support.novell.com/cgi-bin/search/searchtid.cgi?/10085583.htm 


Disclaimer:
Novacoast accepts no liability or responsibility for the 
content of this report, or for the consequences of any 
actions taken on the basis of the information provided 
within. Dissemination of this information is granted 
provided it is presented in its entirety. Modifications 
may not be made without the explicit permission of
Novacoast.

Adam Gray
CTO
Novacoast, Inc.
agray () novacoast com 
http://www.novacoast.com