oss-sec mailing list archives
CVE-2014-0103: Zarafa WebAccess/WebApp store passwords in cleartext on server
From: Robert Scheck <robert () fedoraproject org>
Date: Mon, 30 Jun 2014 01:31:05 +0200
Hello, the Zarafa Collaboration Platform currently provides two webbased interfaces, the older WebAccess and the newer WebApp. The second is partially based on the first however it is not bundled in the same Zarafa tarball on the source code level (while WebAccess is); might be relevant to distributions and downstreams. Zarafa WebAccess and WebApp store session information, including login credentials, on-disk in PHP session files. This session file contains a user's username and password to the Zarafa server in cleartext (CVE-2014-0103). Depending on the configured user backend in Zarafa this might affect Zarafa internal users only or even LDAP user credentials used by multiple services. Affected products: Zarafa WebAccess < 7.1.10 Zarafa WebApp < 1.6 beta Access Vector: Local Access Complexity: Low Authentication: None Confidentiality Impact: Partial Integrity Impact: None Availability Impact: None The flaw is solved in Zarafa WebAccess 7.1.10 and Zarafa WebApp 1.6 beta by using PHP's OpenSSL support, namely openssl_encrypt() and openssl_decrypt(). However this requires PHP >= 5.3.0 while some Linux distributions like RHEL/CentOS 5 or SLES 10 ship PHP < 5.3 by default. On such systems Zarafa remains affected by this flaw. As of writing there is no final release of Zarafa WebApp 1.6, thus installing the pre-release or backporting relevant code is required. See also: https://bugzilla.redhat.com/show_bug.cgi?id=1073618 - thanks to the Red Hat Security Response Team, specifically to Vincent Danen. With kind regards Robert Scheck -- Fedora Project * Fedora Ambassador * Fedora Mentor * Fedora Packager
Attachment:
_bin
Description:
Current thread:
- CVE-2014-0103: Zarafa WebAccess/WebApp store passwords in cleartext on server Robert Scheck (Jun 29)