Resolution for Security Vulnerability in GroupWise Mobile Server 2.0

  • 3003756
  • 21-Nov-2007
  • 10-Dec-2013

Environment

GroupWise Mobile Server 2.0

Situation

This TID is an information-ONLY document to verify that the GroupWise Mobile Server version 2.0.2 update, (available at https://download.novell.com/Download?buildid=ol10nGOqD0A~) includes a fix for a previously disclosed security issue.
 
Reported as CVE-2007-2592, this vulnerability was discovered by Johannes Greil, SEC Consult, (www.sec-consult.com)
 
Details of the security vulnerability were first published athttp://www.sec-consult.com/289.html, which lists the following issues with the Nokia Intellisync Mobile Suite (which is a component of GroupWise Mobile Server).

 * Some ASP scripts under /usrmgr/ list all configured users
 including the mail server address with userid (but no password).

 * Furthermore it is possible to deactivate all users and
 denial access to the system.

 * Some ASP scripts are vulnerable to cross site scripting attacks.
 
 

Resolution

To update your system, download the GroupWise Mobile Server 2.02 from https://download.novell.com/Download?buildid=ol10nGOqD0A~ and install as per the instructions included with that update.

For information on updating a GMS 1.0 system to fix this vulnerability, please see KB 5005120 at https://support.novell.com/
 
 

Status

Security Alert