Environment
GroupWise Mobile Server 2.0
Situation
This TID is an information-ONLY document to verify that the
GroupWise Mobile Server version 2.0.2 update, (available at https://download.novell.com/Download?buildid=ol10nGOqD0A~)
includes a fix for a previously disclosed security issue.
Reported as CVE-2007-2592, this vulnerability was discovered
by Johannes Greil, SEC Consult, (www.sec-consult.com)
Details of the security vulnerability were first published athttp://www.sec-consult.com/289.html,
which lists the following issues with the Nokia Intellisync Mobile
Suite (which is a component of GroupWise Mobile Server).
* Some ASP scripts under /usrmgr/ list all configured
users
including the mail server address with userid (but no
password).
* Furthermore it is possible to deactivate all users
and
denial access to the system.
* Some ASP scripts are vulnerable to cross site
scripting attacks.
Resolution
To update your system, download the GroupWise Mobile Server 2.02 from https://download.novell.com/Download?buildid=ol10nGOqD0A~ and install as per the instructions included with that update.
For information on updating a GMS 1.0 system to fix this
vulnerability, please see KB 5005120 at https://support.novell.com/