Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [day] [month] [year] [list]
Date: Mon, 30 Jun 2014 01:31:05 +0200
From: Robert Scheck <robert@...oraproject.org>
To: Open Source Security Mailing List <oss-security@...ts.openwall.com>
Subject: CVE-2014-0103: Zarafa WebAccess/WebApp store passwords in cleartext
 on server

Hello,

the Zarafa Collaboration Platform currently provides two webbased
interfaces, the older WebAccess and the newer WebApp. The second is
partially based on the first however it is not bundled in the same
Zarafa tarball on the source code level (while WebAccess is); might
be relevant to distributions and downstreams.

Zarafa WebAccess and WebApp store session information, including
login credentials, on-disk in PHP session files. This session file
contains a user's username and password to the Zarafa server in
cleartext (CVE-2014-0103). Depending on the configured user backend
in Zarafa this might affect Zarafa internal users only or even LDAP
user credentials used by multiple services.

Affected products: Zarafa WebAccess < 7.1.10
                   Zarafa WebApp < 1.6 beta

Access Vector: Local
Access Complexity: Low
Authentication: None
Confidentiality Impact: Partial
Integrity Impact: None
Availability Impact: None

The flaw is solved in Zarafa WebAccess 7.1.10 and Zarafa WebApp 1.6
beta by using PHP's OpenSSL support, namely openssl_encrypt() and
openssl_decrypt(). However this requires PHP >= 5.3.0 while some
Linux distributions like RHEL/CentOS 5 or SLES 10 ship PHP < 5.3 by
default. On such systems Zarafa remains affected by this flaw.

As of writing there is no final release of Zarafa WebApp 1.6, thus
installing the pre-release or backporting relevant code is required.

See also: https://bugzilla.redhat.com/show_bug.cgi?id=1073618 - thanks
to the Red Hat Security Response Team, specifically to Vincent Danen.


With kind regards

Robert Scheck
-- 
Fedora Project * Fedora Ambassador * Fedora Mentor * Fedora Packager

Content of type "application/pgp-signature" skipped

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.