Archived Content: This information is no longer maintained and is provided 'as is' for your convenience.
Fact
Novell GroupWise 6.5
Novell GroupWise WebAccess
Symptom
Possible scripting vulnerability in GroupWise WebAccess
"Security Advisory SA10713" issued by Secunia regarding "Novell GroupWise Cross Site Scripting Vulnerability"
Fix
Novell has reviewed Secunia Security Advisory SA10713 and has concluded that although a user can indeed embed scripts into a page returned by WebAccess via the method suggested, this approach does not provide a path for accessing information outside of that user's account. So although it may have the appearance that malicious script activity can occur, some other method is required to get in to another user's account before this scripting method can be used. For example, unless user "John" has another method for accessing someone else's account, the only account that can be maliciously "attacked" via embedded scripts is John's own account, and any actions will be isolated to his own information.
Novell will release updated versions of the GW WebAccess templates to prevent users from modifying data in this way as part of GroupWise 6.5 Support Pack 2, but prior to the release of SP2, customers can modify their WebAccess template files as follows to prevent these actions:
The change requires HTML encoding data which is inserted into the templates using the VAR keyword. For example, in the login.htt template, the GWAP.version value would be changed from
{VAR GWAP.version}
to
{VAR toHTML(GWAP.version)}
Additionally, GroupWise WebAccess 6.5 users can avoid all known vulnerability issues by using SSL on their web server and enabling session cookies in their WebAccess configuration settings.