Advisory ID: SYSS-2015-021 Product: GroupWise Vendor: Novell Affected Version(s): 2014 Tested Version(s): 2014 Vulnerability Type: Cross-Site Scripting (CWE-79) Risk Level: High Solution Status: Fixed Vendor Notification: 2015-05-04 Solution Date: 2015-07-06 Public Disclosure: 2015-07-16 CVE Reference: Not yet assigned Author of Advisory: Dr. Adrian Vollmer (SySS GmbH) ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Overview: Novell GroupWise 2014 is an email web client which also features an address book, a calendar and a task management tool. The vendor Novell describes the product as follows (see [1]): "GroupWise 2014 gives employees robust email, calendaring, task management and contact management tools wherever they wander. The same goes for admins, who get streamlined, web-based administration and more to let them monitor, manage and make things happen on the go." ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Vulnerability Details: Novell GroupWise 2014 is vulnerable to Cross Site Scripting attacks. In combination, these vulnerabilities enable an attacker to perform various actions in the context of the victim's session. Sending a specially crafted email to the victim leads to JavaScript code being executed upon opening. This code can then send emails in the victim's name, create a rule to forward all future incoming emails to an email address chosen by the attacker, or possibly even forward existing emails in the victim's mailbox. In particular, the filter that is supposed to remove malicious code can be bypassed by appending an invalid attribute to the actual attribute of an HTML tag without using a separating space like this:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Proof of Concept (PoC): The following command sends an email to a victim that will, when opened, create a new rule to forward all future emails addressed to the victim to evil@attacker.invalid. mutt -e "set content_type=text/html" victim@groupwise-webapp.com -s "Re: Pentest" < payload.html The content of the file payload.html is: Lorem ipsum dolor The number of the array element (here: 3) may be dependent on the particular installation and configuration of GroupWise. It refers to the part in the URL which represents the "User.context", a parameter resembling an anti-CSRF token which is transmitted as a GET parameter. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution: Apply the Support Pack 2 provided by Novell. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Disclosure Timeline: 2015-04-28: Vulnerability discovered 2015-05-04: Vendor notified 2015-05-11: Vendor notified a second time 2015-05-12: Vendor acknowledged notification 2015-07-06: Vendor published patch 2015-07-16: Advisory published ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ References: [1] Product Web Site for Novell GroupWise 2014 https://www.novell.com/products/groupwise/ [2] SySS Policy for Responsible Disclosure https://www.syss.de/en/news/responsible-disclosure-policy/ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Credits: Security vulnerability found by Dr. Adrian Vollmer of the SySS GmbH. E-Mail: adrian.vollmer@syss.de Public Key: https://www.syss.de/fileadmin/dokumente/Materialien/PGPKeys/Adrian_Vollmer.asc Key ID: 0x037C9FE7 Key Fingerprint: 70CF E88C AEE7 DB0F 5DC8 3403 0E02 7C7E 037C 9FE7 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Disclaimer: The information provided in this security advisory is provided "as is" and without warranty of any kind. Details of this security advisory may be updated in order to provide as accurate information as possible. The latest version of this security advisory is available on the SySS Web site. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Copyright: Creative Commons - Attribution (by) - Version 3.0 URL: http://creativecommons.org/licenses/by/3.0/deed.en