CVE-2014-0103: Zarafa WebAccess/WebApp store passwords in cleartext on server
by Robert Scheck
Good evening,
some time ago it was discovered that Zarafa's WebAccess and WebApp store
session information, including login credentials, on-disk in PHP session
files. This session file would contain a user's username and password to
Zarafa in cleartext.
If Zarafa WebAccess or WebApp was run on a shared hosting site (multiple
web sites on the same server), and an administrator of another server, with
the ability to upload arbitrary scripts to the server, they could use this
to obtain these Zarafa credentials due to both sites being run by the same
Apache user, and the PHP session files being owned by the same.
In a non-shared hosting environment, or one using something like suEXEC,
where the PHP session files are owned by individual users on a per-site
basis, this would not be an issue. In that case, only a local user able
to read these files (either as root or as the user running the Apache web
server) would be able to view the credentials.
Zarafa WebAccess 7.1.10 contains a fix for this issue which requires PHP >=
5.3. Red Hat Enterprise Linux 5 (and derivates) provide PHP 5.1 by default
- and thus Zarafa WebAccess remains vulnerable on such systems further on.
I already proposed a patch to Zarafa to address this also for PHP < 5.3 and
this fix might be included in the upcoming Zarafa WebAccess 7.1.11.
For Fedora 19, 20, Rawhide and Red Hat Enterprise Linux 6 the best solution
is to update to Zarafa 7.1.10 (submitted today to testing repositories);
please have a look to my e-mail regarding changelog and how to update best:
https://lists.fedoraproject.org/pipermail/zarafa-announce/2014-June/00005...
Zarafa WebApp is still vulnerable to CVE-2014-0103, a fix will be included
in the upcoming Zarafa WebApp 1.6 according to upstream. Have a look to Red
Hat Bugzilla at https://bugzilla.redhat.com/show_bug.cgi?id=1073618 if you
would like to follow up this issue in general and with more details.
In case there are any questions regarding this vulnerability feel free to
ask them either here on the mailing list or just send me a private e-mail.
Same applies of course also for all Zarafa related questions or issues ;-)
Greetings,
Robert
8 years, 11 months
Zarafa 7.1.10 has been submitted to updates-testing
by Robert Scheck
Good evening,
Zarafa 7.1.10 has been submitted to updates-testing (Fedora EPEL 5 and 6,
Fedora 19, 20 and Rawhide). Please note that there are no packages for
Fedora EPEL 7 so far due to an incomplete build chain. Here is the full
list of changes in Zarafa 7.1.10 [44973]:
Zarafa Collaboration Platform 7.1.10 final [44973]
==================================================
General
-------
This release brings a few new features while maintaining stability. This
release is identical to the RC since no reports have arrived upstream and
additional testing has not shown up any issues.
Backend
-------
- ZCP-12380: Avoid violating RFC 3501 at partial IMAP fetch request
- ZCP-12337: Provide support for offline S/MIME public certificates
- ZCP-12226: ZWS breaks opensource build
- ZCP-12219: Enhance MariaDB support by modifying sql_mode
- ZCP-12162: Implement "Reinvite" for Zarafa ical
- ZCP-11730: zarafa-mailbox-permissions man page error
- ZCP-11835: zarafa-set-oof does not accept argument "-n"
- ZCP-12115: support ubuntu 14.04
- ZCP-12142: Patch: Option to disable all plaintext authentications unless
SSL/TLS is used
- ZCP-12162: Implement "Reinvite" for Zarafa ical
- ZCP-12200: Patch: POP3 RESP-CODES and AUTH-RESP-CODE support in
Zarafa-Gateway
- ZCP-12013: Log the reason why a socket error was thrown
- ZCP-12219: Enhance MariaDB support by modifying sql_mode
- ZCP-12227: Enhance DAgent log level prios
- ZCP-12232: Patch: POP3 CAPA (CAPABILITIES) support in Zarafa-Gateway
- ZCP-12234: Include email adress when forwarding mails with a rule
(community contribution)
- ZCP-12270: Change maintainer line for debian packages
- ZCP-12338: Allow administrators to backup archive stores (show GUID via
zarafa-admin)
- ZCP-12339: Personal archive store not opened if archive server name in
ADS does not match the casing of the actual name.
- ZCP-12340: Patch: Repair broken ssl_enable_v2 setting for Zarafa 7.1.x
- ZCP-12342: Zarafa-backup creates empty folders for skipped companies
- ZCP-9899: Update GSoap to 2.8.x
You should be able to update to Zarafa 7.1.10 by using something like:
yum update --enablerepo=updates-testing 'zarafa*'
on all Fedora releases and for Fedora EPEL you should use the following:
yum update --enablerepo=epel-testing 'zarafa*'
After testing, please add positive or negative karma to the Zarafa packages
in Bodhi:
https://admin.fedoraproject.org/updates/zarafa
And if you should find bugs or issues, please fill a bug report in Red Hat
Bugzilla as described here:
http://fedoraproject.org/wiki/Zarafa#Bugs
Your feedback is very much appreciated.
Greetings,
Robert
8 years, 11 months
Z-Push 2.1.2 has been built at RPM Fusion
by Robert Scheck
Good evening,
Z-Push 2.1.2 has been built at RPM Fusion for Fedora 21, 20, 19 as well as
for Red Hat Enterprise Linux 6 and 5 - and should be available through the
regular updates repository. And here is the full list of changes in Z-Push
2.1.2 [1873]:
Z-Push 2.1.2 [1873]
===================
New features
------------
- ZP-462: Enhance Z-Push webservice api to give list of users
General
-------
- ZP-467: Process ItemOperations:Schema tag
- ZP-477: Interpret WindowsSize of 0 as 512
- ZP-481: Empty Supported tag breaks synchronization
- ZP-493: Z-Push state version file is broken
- ZP-494: LG-D802 stops syncing after Settings command
Zarafa
------
- ZP-489: Attendee of MR is duplicated
You should be able to update to Z-Push 2.1.2 by using
yum update 'z-push*'
on all Fedora and Red Hat Enterprise Linux releases once it's pushed to the
repository. If you should find bugs or issues, please fill a bug report in
RPM Fusion Bugzilla as described here:
http://fedoraproject.org/wiki/Zarafa#Bugs
Your feedback is very much appreciated.
Greetings,
Robert
8 years, 11 months