Novell webmail product suffers cross-site flaws

Two cross-site vulnerabilities exists in Novell's GroupWise WebAccess webmail that could open company systems to intellectual property theft, researchers have warned

Two cross-site vulnerabilities exist in Novell's GroupWise WebAccess webmail application, a London-based penetration-testing company has claimed.

To be exploited, both flaws require user interaction in the form of opening an infected email or clicking on a link, researchers from ProCheckUp said on Friday. However, the flaws, which currently have no patch available, could allow emails to be stolen, according to ProCheckUp security researcher Adrian Pastor.

"The problem is that corporate emails could be stolen for the purposes of intellectual property theft or espionage," Pastor told ZDNet UK on Friday. "Everything sent in the clear could be potentially captured, and a lot of people don't want to use encrypted email."

The versions of GroupWise WebAccess that are affected by both flaws are 6.5x, 7.0, 7.01, 7.02x, 7.03 and the latest version, 8.0.

ProCheckUp published an advisory about one of the flaws, a cross-site request forgery vulnerability in GroupWise WebAccess, on Friday. Any HTTP request can be successfully forged and any configuration settings changed on behalf of the user, according to the advisory.

Pastor discovered the flaw and reported it to Novell in October. He told ZDNet UK that, since "every single password recovery feature" relies on sending an email to the person's account, user online transaction details could also be compromised.

"You could go to PayPal and say 'I've forgotten my password', and you can hijack accounts," Pastor said.

The second flaw, discovered by ProCheckUp security researcher Jan Fry, is a persistent cross-site scripting vulnerability in Novell GroupWise WebAccess. Fry told ZDNet UK that this flaw could allow an attacker to steal email contacts.

"In cross-site scripting, what [an attacker] is trying to do is to steal the session," said Fry. "Novell GroupWise WebAccess has a feature that could prevent that, but [an attacker] could scrape the contents of the address book."

There are no workarounds for the vulnerabilities. Patches for both flaws will be made available on Friday, according to a Novell spokesperson.

"The fixes and technical documentation will be available today, late afternoon US Mountain Time," the spokesperson said. "They will be available from the Novell support site."

Security companies normally release updates at the same time as advisories are published. While no update was available for the flaws at the time the ProCheckUp advisory was published on Friday, Novell's spokesperson said the company "reacts promptly" to security flaws.

"The important thing is that the details of the potential vulnerability are not in the public domain," the spokesperson said, adding that Novell was grateful to the security researchers for finding the flaws. The ProCheckUp researchers in turn said that Novell had dealt with the flaw "very quickly and professionally".