GroupWise = Fail ! It's the buggiest software ever used

Not only is it awful to use, someone's going to steal all my email.

Having been part of that pen test, I can say that this article not quite accurate.

The vulnerability exists when acting as a logged in user - so it's one of your mates thats the problem!

These and a number of other issues in WebAccess are addressed in a release that is scheduled for this PM.

And as for buggy! I think you need to review the uptime of a GW system and compare that to Exchange - boy is that a laugh.

As in most CSRF bugs, the victim user must be logged-in when the attack occurs. This also applies to this GroupWise CSRF vuln. Notice that the victim user would be logged-in when the "evil" email is viewed via GroupWise WebAccess, thus this attack is practical. This is the very reason why cross-site vulnerabilities (XSS/CSRF) on webmail portals are considered serious: the victim user is *logged-in* when an email is viewed.

Hope this makes sense.

Regards,

ap.

All, I am the GroupWise Product Manager at Novell. A security patch is available now. Customers who are using GroupWise WebAccess should go to http://download.novell.com and download the latest patches (GroupWise 7 SP3 HP2 or GroupWise 8 HP1) to fix these vulnerabilities. Instructions to install the patches come with the download. Novell takes security seriously and has a proven history in addressing customer needs and GroupWise continues to be the most secure collaboration platform in enterprise email today.