| VID |
21466 |
| Severity |
30 |
| Port |
80, ... |
| Protocol |
TCP |
| Class |
Servlet |
| Detailed Description |
The Novell GroupWise WebAccess is vulnerable to an authentication bypass vulnerability. GroupWise is the commercial groupware package distributed and maintained by Novell. Novell GroupWise WebAccess could allow a remote attacker to bypass authentication and gain unauthorized access to the program, by accessing the 'webacc' servlet and providing unsuspected parameter data. When an authentication attempt fails, the affected servlet invokes an error page that is passed through the 'error' URI parameter. If this parameter is given the value 'webacc', authentication will be bypassed and the attacker will gain access to the affected Web application.
* References:
http://www.securityfocus.com/archive/1/387566
* Platforms Affected:
Novell, Inc., Novell GroupWise WebAccess Any version
Novell, Inc., Novell NetWare Any version
Microsoft Windows Any version
Novell NetWare Any version
Linux Any version |
| Recommendation |
No upgrade or patch available as of June 2014.
As a workaround, Novell reports that customers who are concerned about product version information being leaked may edit 'login.htt' and 'about.htt' template files to remove this information. This may be accomplished by removing line 313 from 'login.htt' and line 37 from 'about.htt'. Further information can be found in the advisory at http://www.securityfocus.com/advisories/7881 |
| Related URL |
(CVE) |
| Related URL |
12285 (SecurityFocus) |
| Related URL |
18954 (ISS) |
|
