| Plugin ID | 347 |
| Plugin name | Novell GroupWise WebAccess prior 6.5.3 about html injection |
| Plugin filename | Novell GroupWise WebAccess prior 6.5.3 about html injection.plugin |
| Plugin filesize | 2984 bytes |
| Plugin family | CGI |
| Plugin created name | Marc Ruef |
| Plugin created email | marc.ruef at computec.ch |
| Plugin created web | http://www.computec.ch |
| Plugin created company | computec.ch |
| Plugin created date | 2004/12/09 |
| Plugin version | 1.0 |
| Plugin protocol | tcp |
| Plugin port | 80 |
| Plugin procedure exploit | open|send GET /servlet/webacc?error=about HTTP/1.0\n\n|close|pattern_exists HTTP/#.# ### *Program Release* |
| Plugin exploit accuracy | 99 |
| Plugin comment | This plugin was written with the ATK Attack Editor. |
| Bug published name | Marc Ruef |
| Bug published email | marc.ruef at computec.ch |
| Bug published web | http://www.computec.ch |
| Bug published company | computec.ch |
| Bug published date | 2004/12/09 |
| Bug produced name | Novell |
| Bug produced email | info at novell.com |
| Bug produced web | http://www.novell.com |
| Bug affected | Novell GroupWise WebAccess prior 6.5.3 |
| Bug not affected | Novell GroupWise WebAccess newer than 6.5.3 or other products |
| Bug vulnerability class | Weak Authentication |
| Bug false positives | These depends how Novell will fix this flaw. |
| Bug description | It is possible to circumvent the login procedure. It is possible to specify the about template as error document with the $QUERY_STRING variant error. So it is possible to get the version of the installed GroupWise framework. This information may be useful to launch further attacks. |
| Bug solution | The flaws may be patched with an upcoming bugfix or a new software release. As a workaround you should deny untrusted incoming connections to your WebAccess thru firewalling. |
| Bug fixing time | Approx. 30 minutes |
| Bug exploit availability | Yes |
| Bug exploit url | https://www.computec.ch/servlet/webacc?error=about |
| Bug remote | Yes |
| Bug local | Yes |
| Bug severity | High |
| Bug popularity | 6 |
| Bug simplicity | 8 |
| Bug impact | 7 |
| Bug risk | 7 |
| Source scipID | 1021 |
| Source Literature | Hacking Intern - Angriffe, Strategien, Abwehr, Marc Ruef, Marko Rogge, Uwe Velten and Wolfram Gieseke, November 1, 2002, Data Becker, D�sseldorf, ISBN 381582284X |
| Source Misc. | http://developer.novell.com/ndk/doc/gwwbacc/index.html?page=/ndk/doc/gwwbacc/gwwebacc/data/a6l4t54.html |