-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Dear ladies and gentlemen

We have found a potential security vulnerability in the Novell GroupWise WebAccess error module handling. First of all it is possible to circumvent the login procedure. If a user connects to https://www.scip.com:1444/servlet/webacc (this is just an example with our domain) he is able to authenticate with his user name and password. If a wrong input is made, the webacc application is loading the error page. It is possible to specify another error document with the $QUERY_STRING variant error. If this reference is done for the webacc itself - the url https://www.scip.com:1444/servlet/webacc?error=webacc would be required -, the login is circumvented. You are always logged in with a "ghost user" without a profile. It seems not to be possible to load and store data or to use other services (e.g. address book or sending email). It is also possible to reach specific template files with specification of their names (e.g. https://www.scip.com:1444/servlet/webacc?error=send for sending emails). Reaching other files than with the extension .htt or files outside the webserver root directory seems not possible. An attacker may use this vulnerability to exploit a bug that is only exploitable by authenticated users. More details on how this htt framework should be used can be found at http://developer.novell.com/ndk/doc/gwwbacc/index.html?page=/ndk/doc/gwwbacc/gwwebacc/data/a6l4t54.html - You find the original advisory, written in german, on http://www.scip.ch/cgi-bin/smss/showadvf.pl?id=1020 (Novell GroupWise WebAccess error Authentisierung umgehen).

The second flaw depends on the first one. You are able to specify a (wrong) user name in the login screen. Afterwards you circumvent the authentication as described before. If you are opening the about screen (e.g. https://www.scip.com:1444/servlet/webacc?error=about or by clicking on the WebAccess logo on the top) in the Program Release line you see the version data of the GroupWise installation. The user name that has been specified in your last login procedure is printed on the Userid line. It may be possible to do html injection in this case. For example if the user name "<a href=http://www.scip.ch>www.scip.ch</a>" has been used, this html link will be printed. The injection of scripts seems not to be possible because the required tags <script> and </script> are filtered/replaced. This vulnerability may be useful to gain the version data of the installation and it may be possible to realize a social engineering or html injection attack (e.g. loading a corrupt JPEG file to exploit the Windows buffer overflow). You find the original advisory, written in german, on http://www.scip.ch/cgi-bin/smss/showadvf.pl?id=1021 (Novell GroupWise WebAccess error about erweiterte Rechte).

We have not found any information on that issue. So I sent this information (nearly the same posting) on 14/12/04 to info@novell.com and asked for a solution. As I haven't heard _anything_ until 23/12/04 I sent a reminder email to the same address. So no reply came back we made this vulnerability public finally to force Novell to react on this case. An Attack Tool Kit (ATK) plugin that addresses this vulnerability will be published in the next days[1].

Regards,

Marc Ruef

[1] http://www.computec.ch/projekte/atk/

- -- 
) scip AG (
Technoparkstr. 1
8005 Zürich
T +41 1 445 18 18 
F +41 1 445 18 19

maru@scip.ch
www.scip.ch

- - Aktuellste IT-Sicherheitsluecken -

-----BEGIN PGP SIGNATURE-----
Version: PGP 8.0
Comment: http://www.scip.ch

iQA/AwUBQevrDBe5hzJzqVMhEQJrtQCg041eH6NVBOQ+GPS5QudSw2ARKAAAni/P
tTao1cSGtOUvnKKsqqH5/0Gs
=A+fy
-----END PGP SIGNATURE-----