GroupWise WebAccess Security Issue

Ok, This is new for me. Groupwise Webaccess has a Security Issue. That’s one you don’t see often.

It seems like that it’s possible to execute a code through a link on a web page or by sending a certain
email to the system, people can get access to a users mailbox. That’s not nice!

Here you can read the whole article on Coolsolutions from Novell

The message of the post is simple: Upgrade to the latest Hot Patch of Groupwise 7.x or 8.x.
Groupwise 6.5 is not supported any more.

Update 5-2-2009: I have a bit more information. The vulnerability is that a person can send you a HTML email with a special code in it. This code can executed a JAVA script and so it’s possible this person can get access to your cookies or create a rule so every email this person gets is forwarded to a email address. Here you can find a example of the code.
I googled around, and could not find the code to create a rule that forwards every email to a external person. But I’m convinced that this code will be available soon.
Be aware this only gets executed in Webaccess. Not in the Groupwise client. You can minimize the thread thourg anti-spam, virus protection or a firewall.
Nevertheless you should apply the patched.