[Zarafa] CVE-2014-0103: Zarafa WebAccess/WebApp store passwords in cleartext on server
Robert Scheck
robert at fedoraproject.org
Sun Jun 29 21:06:36 UTC 2014
Good evening,
some time ago it was discovered that Zarafa's WebAccess and WebApp store
session information, including login credentials, on-disk in PHP session
files. This session file would contain a user's username and password to
Zarafa in cleartext.
If Zarafa WebAccess or WebApp was run on a shared hosting site (multiple
web sites on the same server), and an administrator of another server, with
the ability to upload arbitrary scripts to the server, they could use this
to obtain these Zarafa credentials due to both sites being run by the same
Apache user, and the PHP session files being owned by the same.
In a non-shared hosting environment, or one using something like suEXEC,
where the PHP session files are owned by individual users on a per-site
basis, this would not be an issue. In that case, only a local user able
to read these files (either as root or as the user running the Apache web
server) would be able to view the credentials.
Zarafa WebAccess 7.1.10 contains a fix for this issue which requires PHP >=
5.3. Red Hat Enterprise Linux 5 (and derivates) provide PHP 5.1 by default
- and thus Zarafa WebAccess remains vulnerable on such systems further on.
I already proposed a patch to Zarafa to address this also for PHP < 5.3 and
this fix might be included in the upcoming Zarafa WebAccess 7.1.11.
For Fedora 19, 20, Rawhide and Red Hat Enterprise Linux 6 the best solution
is to update to Zarafa 7.1.10 (submitted today to testing repositories);
please have a look to my e-mail regarding changelog and how to update best:
https://lists.fedoraproject.org/pipermail/zarafa-announce/2014-June/000053.html
Zarafa WebApp is still vulnerable to CVE-2014-0103, a fix will be included
in the upcoming Zarafa WebApp 1.6 according to upstream. Have a look to Red
Hat Bugzilla at https://bugzilla.redhat.com/show_bug.cgi?id=1073618 if you
would like to follow up this issue in general and with more details.
In case there are any questions regarding this vulnerability feel free to
ask them either here on the mailing list or just send me a private e-mail.
Same applies of course also for all Zarafa related questions or issues ;-)
Greetings,
Robert
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 181 bytes
Desc: not available
URL: <http://lists.fedoraproject.org/pipermail/zarafa-announce/attachments/20140629/3340fd3b/attachment.sig>
More information about the zarafa-announce
mailing list