Good evening,

some time ago it was discovered that Zarafa's WebAccess and WebApp store session information, including login credentials, on-disk in PHP session files. This session file would contain a user's username and password to Zarafa in cleartext.

If Zarafa WebAccess or WebApp was run on a shared hosting site (multiple web sites on the same server), and an administrator of another server, with the ability to upload arbitrary scripts to the server, they could use this to obtain these Zarafa credentials due to both sites being run by the same Apache user, and the PHP session files being owned by the same.

In a non-shared hosting environment, or one using something like suEXEC, where the PHP session files are owned by individual users on a per-site basis, this would not be an issue. In that case, only a local user able to read these files (either as root or as the user running the Apache web server) would be able to view the credentials.

Zarafa WebAccess 7.1.10 contains a fix for this issue which requires PHP >= 5.3. Red Hat Enterprise Linux 5 (and derivates) provide PHP 5.1 by default - and thus Zarafa WebAccess remains vulnerable on such systems further on. I already proposed a patch to Zarafa to address this also for PHP < 5.3 and this fix might be included in the upcoming Zarafa WebAccess 7.1.11.

For Fedora 19, 20, Rawhide and Red Hat Enterprise Linux 6 the best solution is to update to Zarafa 7.1.10 (submitted today to testing repositories); please have a look to my e-mail regarding changelog and how to update best: https://lists.fedoraproject.org/pipermail/zarafa-announce/2014-June/000053.h...

Zarafa WebApp is still vulnerable to CVE-2014-0103, a fix will be included in the upcoming Zarafa WebApp 1.6 according to upstream. Have a look to Red Hat Bugzilla at https://bugzilla.redhat.com/show_bug.cgi?id=1073618 if you would like to follow up this issue in general and with more details.

In case there are any questions regarding this vulnerability feel free to ask them either here on the mailing list or just send me a private e-mail. Same applies of course also for all Zarafa related questions or issues ;-)

Greetings, Robert