Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date: Sun, 7 Dec 2014 13:16:05 +0100
From: Robert Scheck <robert@...oraproject.org>
To: Open Source Security Mailing List <oss-security@...ts.openwall.com>
Cc: Red Hat Security Response Team <secalert@...hat.com>
Subject: CVE request: Unauthenticated remote disk space exhaustion in Zarafa
 WebAccess and WebApp

Good afternoon,

I discovered a flaw in Zarafa WebAccess >= 7.0.0 and Zarafa WebApp (any
version) that could allow a remote unauthenticated attacker to exhaust the
disk space of /tmp. Depending on the setup /tmp might be on / (e.g. RHEL).
Zarafa WebApp is a fork and the successor of the Zarafa WebAccess.

The affected files are /usr/share/zarafa-webaccess/senddocument.php as well
as /usr/share/zarafa-webapp/senddocument.php. The default upload size is 30
MB (via /etc/httpd/conf.d/zarafa-webaccess.conf / zarafa-webapp.conf).

I do not know if $tmpname is predictable (for race conditions) but likely
not. The 2nd parameter is only a prefix according to the PHP documentation
of tempnam().

Upstream removed the file "senddocument.php" (which is neither referenced
nor used anywhere in the code) as solution and thus followed my suggestion
for Zarafa WebApp 2.0 beta 3 (SVN 46848) and Zarafa WebAccess 7.2.0 beta 1
(SVN 47004).

See https://bugzilla.redhat.com/show_bug.cgi?id=1139442 for whole history.


With kind regards

Robert Scheck
-- 
Fedora Project * Fedora Ambassador * Fedora Mentor * Fedora Packager

Content of type "application/pgp-signature" skipped

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.