Novell NetWare Enterprise Web Server / GroupWise contains a flaw that allows a remote cross site scripting attack. This flaw exists because the application does not validate the 'User.id' or 'GWAP.version' variables upon submission to the 'webacc' utility. This could allow a user to create a specially crafted URL that would execute arbitrary code in a user's browser within the trust relationship between the browser and the server, leading to a loss of integrity.

From Novell:

Novell has reviewed Secunia Security Advisory SA10713 and has concluded that although a user can indeed embed scripts into a page returned by WebAccess via the method suggested, this approach does not provide a path for accessing information outside of that user's account. So although it may have the appearance that malicious script activity can occur, some other method is required to get in to another user's account before this scripting method can be used. For example, unless user "John" has another method for accessing someone else's account, the only account that can be maliciously "attacked" via embedded scripts is John's own account, and any actions will be isolated to his own information.

Upgrade to version CSP 8 for 5.1, CSP 5 for 6.0 or higher, as it has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.

• Secunia Advisory ID: 10711 10713
• CVE ID: 2004-2103 (see also: NVD)
• Related OSVDB ID: 3714 4950 55361 55362
• Bugtraq ID: 9508
• Mail List Post: http://archives.neohapsis.com/archives/bugtraq/2004-01/0223.html
• Vendor Specific Advisory URL: http://support.novell.com/cgi-bin/search/searchtid.cgi?/10091096.htm
• Vendor URL: http://www.Novell.com
  http://www.novell.com
  http://www.novell.com/products/groupwise/

• Rafel Ivgi - the_insidermail.com - Personal Page