Novacoast Security Advisory
Novell GroupWise 6.5 Vulnerability

Synopsis:
Novacoast has discovered a vulnerability in the Novell GroupWise 6.5 =
Wireless Webaccess logging functionality. The software exposes all =
username and passwords within the log file in clear text.  This information=
 could be used to impersonate other users and allow unauthorized access to =
mail or network resources.

Description:
A key component of the Novell Nterprise* family of one Net solutions, =
Novell=AE GroupWise=AE 6.5 is a cross-platform collaboration product that =
enables you to work smarter alone and with others over any type of =
network*wired to wireless, including the Internet. In addition to =
integrated e-mail and scheduling services, GroupWise offers task-, =
contact- and document-management services that increase productivity. =
GroupWise also delivers secure instant messaging, tools that help you =
manage daily activities more efficiently and extensive mobile-access =
capabilities. In a nutshell, this innovative, open standards-based =
approach to collaboration services provides security, control and mobility =
while increasing user productivity and reducing the cost of managing and =
maintaining your organization's essential communication and collaboration =
services.

Affected Version:
Novell GroupWise 6.5 Webaccess
Novell GroupWise Wireless Web Access
Novell Linux/Mac Beta Client
NetWare 5/6
Apache 1.3.x

Exploit:
None required
Open sys:\apache\logs\access_log
Passwords are listed as part of the url. the are preceded with username=3D*=
***&password=3D****

Recommended Solution:
Upgrade to Novell GroupWise 6.5 sp1

Status:
This bug has been submitted to, acknowledged by, and a fix has been =
created and included with the latest service pack for Novell GroupWise =
6.5. It can be downloaded from:
http://support.novell.com=20

Additional information can be found at the following location:
http://support.novell.com/cgi-bin/search/searchtid.cgi?/10085583.htm=20


Disclaimer:
Novacoast accepts no liability or responsibility for the=20
content of this report, or for the consequences of any=20
actions taken on the basis of the information provided=20
within. Dissemination of this information is granted=20
provided it is presented in its entirety. Modifications=20
may not be made without the explicit permission of
Novacoast.

Adam Gray
CTO
Novacoast, Inc.
agray@novacoast.com=20
http://www.novacoast.com=20