Date: Sun, 7 Dec 2014 13:16:05 +0100 From: Robert Scheck <robert@...oraproject.org> To: Open Source Security Mailing List <oss-security@...ts.openwall.com> Cc: Red Hat Security Response Team <secalert@...hat.com> Subject: CVE request: Unauthenticated remote disk space exhaustion in Zarafa WebAccess and WebApp Good afternoon, I discovered a flaw in Zarafa WebAccess >= 7.0.0 and Zarafa WebApp (any version) that could allow a remote unauthenticated attacker to exhaust the disk space of /tmp. Depending on the setup /tmp might be on / (e.g. RHEL). Zarafa WebApp is a fork and the successor of the Zarafa WebAccess. The affected files are /usr/share/zarafa-webaccess/senddocument.php as well as /usr/share/zarafa-webapp/senddocument.php. The default upload size is 30 MB (via /etc/httpd/conf.d/zarafa-webaccess.conf / zarafa-webapp.conf). I do not know if $tmpname is predictable (for race conditions) but likely not. The 2nd parameter is only a prefix according to the PHP documentation of tempnam(). Upstream removed the file "senddocument.php" (which is neither referenced nor used anywhere in the code) as solution and thus followed my suggestion for Zarafa WebApp 2.0 beta 3 (SVN 46848) and Zarafa WebAccess 7.2.0 beta 1 (SVN 47004). See https://bugzilla.redhat.com/show_bug.cgi?id=1139442 for whole history. With kind regards Robert Scheck -- Fedora Project * Fedora Ambassador * Fedora Mentor * Fedora Packager Content of type "application/pgp-signature" skipped
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.