Multiple vulnerabilities have been reported in Novell GroupWise, which can be exploited by malicious users to conduct script insertion attacks and bypass certain security restrictions and by malicious people to conduct cross-site scripting attacks, cause a DoS (Denial of Service), disclose potentially sensitive information, and potentially compromise a vulnerable system.

1) An integer overflow error in GroupWise Internet Agent (gwia.exe) when copying request data can be exploited to cause a heap-based buffer overflow by e.g. sending a specially crafted request with the "Content-Length" header value set to "-1" to the web-based administration interface (TCP port 9850).

2) Input passed via the "merge" parameter to the "Search Document" form in the WebAccess component is not properly sanitised before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user's browser section in context of an affected site.

3) An error in NgwiCalTimeProperty::datetime() in gwww1.dll when parsing date and time information in iCalendar messages can be exploited to reference out-of-bounds memory and crash GroupWise Internet Agent (GWIA).

4) The application bundles unsafe versions of the Oracle "Outside In" parsers.

For more information:
SA49936

5) Input passed to the HTTP interfaces of the Office, Message Transfer, and Internet agents is not properly verified before being used to read files. This can be exploited to disclose arbitrary files via directory traversal sequences.

6) Certain input passed via an email signature is not properly sanitised in the postbox of the WebAccess component before being displayed to the user. This can be exploited to insert arbitrary HTML and script code, which will be executed in a user's browser session in context of an affected site if malicious data is viewed.

7) An integer overflow error in the LDAP server within the GroupWise Internet Agent (gwia.exe) when parsing a BER encoded chunk can be exploited to cause a buffer overflow via specially crafted packets sent to TCP port 389.

8) An unspecified error exists when openings files. No further information is currently available.

Successful exploitation of vulnerabilities #1, #7, and #8 may allow execution of arbitrary code.

9) An error exists within the eDirectory authentication mechanism, which can be exploited to gain access to other GroupWise accounts.

The vulnerabilities are reported in version 8.0.2 HP3; some are also reported in version 2012. Other versions may also be affected.

Solution
Update to version 8.0 SP3 Hot Patch 1 or later or version 2012 Support Pack 1.

Provided and/or discovered by
1) Francis Provencher, Protek Research Labs via Secunia.
2) Joshua Tiago, Cirosec via Secunia.
3) Carsten Eiram, Secunia Research.
5) r () b13$, Digital Defense, Inc. Vulnerability Research Team.
6) Joshua Tiago, Cirosec via Secunia.
7) Francis Provencher, Protek Research Labs via ZDI.
8) The vendor credits Pavel Polischouk, Telus Security Labs.
9) Reported by the vendor.

Changelog
Further details available to Secunia VIM customers

Original Advisory
Novell:
http://download.novell.com/Download?buildid=O5hTjIiMdMo~
http://www.novell.com/support/kb/doc.php?id=7010769
http://www.novell.com/support/kb/doc.php?id=7010767
http://www.novell.com/support/kb/doc.php?id=7010368
http://www.novell.com/support/kb/doc.php?id=7010569
http://www.novell.com/support/kb/doc.php?id=7010772
http://www.novell.com/support/kb/doc.php?id=7010768
http://www.novell.com/support/kb/doc.php?id=7010770
http://www.novell.com/support/kb/doc.php?id=7010771
http://www.novell.com/support/kb/doc.php?id=7010773

Secunia Research:
http://secunia.com/secunia_research/2012-30/

Protek Research Labs:
http://www.protekresearchlab.com/index.php?option=com_content&view=article&id=61&Itemid=61
http://www.protekresearchlab.com/index.php?option=com_content&view=article&id=66&Itemid=66

Digital Defense (DDIVRT-2012-42):
http://seclists.org/fulldisclosure/2012/Sep/161

ZDI-012-196:
http://archives.neohapsis.com/archives/fulldisclosure/2012-12/0213.html

Other references
Further details available to Secunia VIM customers

Technical Analysis
Further details available to Secunia VIM customers

Deep Links
Links available to Secunia VIM customers