Novell GroupWise WebAccess Unauthorized Access Vulnerability

Bugtraq ID:	9864
Class:	Configuration Error
CVE:
Remote:	Yes
Local:	No
Published:	Mar 13 2004 12:00AM
Updated:	Mar 13 2004 12:00AM
Credit:	Announced by the vendor.
Vulnerable:	Novell Groupwise 6.5 SP2 Novell Groupwise 6.5 SP1 Novell Groupwise 6.5 Novell Groupwise 6.0 SP4 Novell Groupwise 6.0 SP3 Novell Groupwise 6.0 SP2 Novell Groupwise 6.0 SP1 Novell Groupwise 6.0
Not Vulnerable:

Novell GroupWise WebAccess Unauthorized Access Vulnerability

An issue has been reported in Novell GroupWise WebAccess that could allow unauthorized remote access to the WebAccess server. This is due to a configuration issue in the GWAPACHE.CONF file.

Novell GroupWise WebAccess Unauthorized Access Vulnerability

There is no exploit code required.

Novell GroupWise WebAccess Unauthorized Access Vulnerability

Solution:
The following solution has been provided by Novell:

To prevent unauthorized access to a GroupWise WebAccess server, you can edit the permissions section of the GWAPACHE.CONF file just under where the DocumentRoot is specified:

By default, that section reads:

# First, we configure the "default" to be a very restrictive set of
# permissions.
#
<Directory "/">
Options FollowSymLinks
AllowOverride None
</Directory>

That section should read:

<Directory "/">
Options FollowSymLinks
AllowOverride None
Order deny,allow
deny from all
</Directory>

Novell GroupWise WebAccess Unauthorized Access Vulnerability

References:

• Potential security issue with GroupWise WebAccess 6.0 and 6.5 - TID10091330 (Novell)