The HTTP interfaces for Novell GroupWise 8.0.2 Post Office Agent, Message Transfer Agent, and GroupWise Internet Agent are vulnerable to an arbitrary file retrieval condition due to a failure to properly filter certain crafted directory traversal sequences. An unauthenticated remote attacker can leverage this flaw to retrieve files with the privileges of the vulnerable agent. Novell has provided solutions for this issue in the form of GroupWise 8.0 SP3 as well as in the latest GroupWise 2012 SP1 release.
e3c9147383f5501cbaf78656fc4be6934d837f6efbec3b31cc32dac0b7201f56Title
-----
DDIVRT-2012-42 Novell GroupWise Agents Arbitrary File Retrieval (CVE-2012-0419)
Severity
--------
High
Date Discovered
---------------
April 2, 2012
Discovered By
-------------
Digital Defense, Inc. Vulnerability Research Team
Credit: r@b13$
Vulnerability Description
-------------------------
The HTTP interfaces for Novell GroupWise 8.0.2 Post Office Agent,
Message Transfer Agent, and GroupWise Internet Agent are vulnerable to
an arbitrary file retrieval condition due to a failure to properly
filter certain crafted directory traversal sequences. An
unauthenticated remote attacker can leverage this flaw to retrieve
files with the privileges of the vulnerable agent.
Solution Description
--------------------
Novell has provided solutions for this issue in the form of GroupWise
8.0 SP3 as well as in the latest GroupWise 2012 SP1 release.
http://www.novell.com/support/kb/doc.php?id=7010772
Tested Systems / Software
-------------------------
Novell GroupWise 8.0.2 Post Office Agent
Novell GroupWise 8.0.2 Message Transfer Agent
Novell GroupWise 8.0.2 GroupWise Internet Agent
Vendor Contact
--------------
Vendor Name: Novell
Vendor Website: http://www.novell.com/
© 2022 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed