GroupWise WebAccess Security Issue
Ok, This is new for me. Groupwise Webaccess has a Security Issue. That’s one you don’t see often.
It seems like that it’s possible to execute a code through a link on a web page or by sending a certain
email to the system, people can get access to a users mailbox. That’s not nice!
Here you can read the whole article on Coolsolutions from Novell
The message of the post is simple: Upgrade to the latest Hot Patch of Groupwise 7.x or 8.x.
Groupwise 6.5 is not supported any more.
Update 5-2-2009: I have a bit more information. The vulnerability is that a person can send you a HTML email with a special code in it. This code can executed a JAVA script and so it’s possible this person can get access to your cookies or create a rule so every email this person gets is forwarded to a email address. Here you can find a example of the code.
I googled around, and could not find the code to create a rule that forwards every email to a external person. But I’m convinced that this code will be available soon.
Be aware this only gets executed in Webaccess. Not in the Groupwise client. You can minimize the thread thourg anti-spam, virus protection or a firewall.
Nevertheless you should apply the patched.
About Michael
Michael Wilmsen is a experienced VMware Architect with more than 20 years in the IT industry. Main focus is VMware vSphere, Horizon View and Hyper Converged with a deep interest into performance and architecture.
Michael is VCDX 210 certified, has been rewarded with the vExpert title from 2011, Nutanix Tech Champion and a Nutanix Platform Professional.