CVE-2014-9465: Race Condition

First published: Mon Sep 08 2014(Updated: )

I discovered a flaw in Zarafa WebAccess >= 7.0.0 and Zarafa WebApp (any version) that could allow a remote unauthenticated attacker to exhaust the disk space of /tmp. Depending on the setup /tmp might be on / (e.g. RHEL). Zarafa WebApp is a fork and the successor of the Zarafa WebAccess. The affected files are /usr/share/zarafa-webaccess/senddocument.php as well as /usr/share/zarafa-webapp/senddocument.php. The default upload size is 30 MB (via /etc/httpd/conf.d/zarafa-webaccess.conf / zarafa-webapp.conf). I do not know if $tmpname is predictable (for race conditions) but likely not. The 2nd parameter is only a prefix according to the PHP documentation of tempnam(). From my point of view the file "senddocument.php" is neither referenced nor used anywhere in the code and could be simply removed. Upstream has been notified and I am awaiting their response. At the moment this RHBZ is only meant to have this tracked somewhere, please do not yet disclose.

Credit: cve@mitre.org

Never miss a vulnerability like this again

Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.

Read MoreStart Free Trial

• collector/redhat-bugzilla
• alias/CVE-2014-9465
• collector/nvd-index
• agent/tags
• agent/weakness
• agent/references
• agent/severity
• agent/author
• agent/description
• agent/type
• agent/event
• agent/first-publish-date
• agent/last-modified-date
• package-manager/redhat
• vendor/fedoraproject
• canonical/fedoraproject fedora
• version/fedoraproject fedora/20
• version/fedoraproject fedora/21
• vendor/zarafa
• canonical/zarafa webapp
• version/zarafa webapp/2.0
• canonical/zarafa zarafa collaboration platform
• version/zarafa zarafa collaboration platform/7.0.0
• version/zarafa zarafa collaboration platform/7.0.1
• version/zarafa zarafa collaboration platform/7.0.2
• version/zarafa zarafa collaboration platform/7.0.3
• version/zarafa zarafa collaboration platform/7.0.4
• version/zarafa zarafa collaboration platform/7.0.5
• version/zarafa zarafa collaboration platform/7.0.6
• version/zarafa zarafa collaboration platform/7.0.7
• version/zarafa zarafa collaboration platform/7.0.8
• version/zarafa zarafa collaboration platform/7.0.9
• version/zarafa zarafa collaboration platform/7.0.10
• version/zarafa zarafa collaboration platform/7.0.11
• version/zarafa zarafa collaboration platform/7.0.12
• version/zarafa zarafa collaboration platform/7.0.13
• version/zarafa zarafa collaboration platform/7.1.0
• version/zarafa zarafa collaboration platform/7.1.1
• version/zarafa zarafa collaboration platform/7.1.2
• version/zarafa zarafa collaboration platform/7.1.3
• version/zarafa zarafa collaboration platform/7.1.4
• version/zarafa zarafa collaboration platform/7.1.5
• version/zarafa zarafa collaboration platform/7.1.6
• version/zarafa zarafa collaboration platform/7.1.7
• version/zarafa zarafa collaboration platform/7.1.8
• version/zarafa zarafa collaboration platform/7.1.9
• version/zarafa zarafa collaboration platform/7.1.10
• version/zarafa zarafa collaboration platform/7.1.11