mailing list archives
[ISR] - Novell Groupwise WebAccess Cross-Site Scripting
From: Francisco Amato <famato () infobyte com ar>
Date: Tue, 19 Jul 2005 09:46:55 -0300
|| Infobyte Security Research
Novell Groupwise WebAccess Cross-Site Scripting
Version: GroupWise 6.5 SP4, It is suspected that all previous versions of
GroupWise WebAccess is Novell's premier Intranet/Internet GroupWare solution
for the Web.
More info: http://www.novell.com
Remote explotation of Cross-Site Scripting due to failure of the application
sanitize user-supplied input prior to including it in dynamically generated
To reproduce this, send a e-mail with the following html code:
It show a simple code of example to execute script in the browser of an
This issue may allow for the theft of authentication credentials.
.:: VENDOR RESPONSE
The filename is fwa655d.exe
.:: CVE INFORMATION
.:: DISCLOSURE TIMELINE
06/14/2005 Initial vendor notification
06/14/2005 Initial vendor response
07/19/2005 Coordinated public disclosure
Francisco Amato is credited with discovering this vulnerability.
.:: LEGAL NOTICES
Copyright (c) 2005 by [ISR] Infobyte Security Research.
Permission to redistribute this alert electronically is granted as long as
it is not
edited in any way unless authorized by Infobyte Security Research Response.
Reprinting the whole or part of this alert in any medium other than
requires permission from infobyte com ar
The information in the advisory is believed to be accurate at the time of
based on currently available information. Use of the information constitutes
for use in an AS IS condition. There are no warranties with regard to this
Neither the author nor the publisher accepts any liability for any direct,
consequential loss or damage arising from use of, or reliance on, this
- [ISR] - Novell Groupwise WebAccess Cross-Site Scripting Francisco Amato (Jul 19)