CVE-2014-9465: Race Condition
First published: Mon Sep 08 2014(Updated: )
I discovered a flaw in Zarafa WebAccess >= 7.0.0 and Zarafa WebApp (any version) that could allow a remote unauthenticated attacker to exhaust the disk space of /tmp. Depending on the setup /tmp might be on / (e.g. RHEL). Zarafa WebApp is a fork and the successor of the Zarafa WebAccess. The affected files are /usr/share/zarafa-webaccess/senddocument.php as well as /usr/share/zarafa-webapp/senddocument.php. The default upload size is 30 MB (via /etc/httpd/conf.d/zarafa-webaccess.conf / zarafa-webapp.conf). I do not know if $tmpname is predictable (for race conditions) but likely not. The 2nd parameter is only a prefix according to the PHP documentation of tempnam(). From my point of view the file "senddocument.php" is neither referenced nor used anywhere in the code and could be simply removed. Upstream has been notified and I am awaiting their response. At the moment this RHBZ is only meant to have this tracked somewhere, please do not yet disclose.
Credit: cve@mitre.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| redhat/zarafa-7.1.12 | <1 | 1 |
| Fedoraproject Fedora | =20 | |
| Fedoraproject Fedora | =21 | |
| Zarafa WebApp | <=2.0 | |
| Zarafa Collaboration Platform | =7.0.0 | |
| Zarafa Collaboration Platform | =7.0.1 | |
| Zarafa Collaboration Platform | =7.0.2 | |
| Zarafa Collaboration Platform | =7.0.3 | |
| Zarafa Collaboration Platform | =7.0.4 | |
| Zarafa Collaboration Platform | =7.0.5 | |
| Zarafa Collaboration Platform | =7.0.6 | |
| Zarafa Collaboration Platform | =7.0.7 | |
| Zarafa Collaboration Platform | =7.0.8 | |
| Zarafa Collaboration Platform | =7.0.9 | |
| Zarafa Collaboration Platform | =7.0.10 | |
| Zarafa Collaboration Platform | =7.0.11 | |
| Zarafa Collaboration Platform | =7.0.12 | |
| Zarafa Collaboration Platform | =7.0.13 | |
| Zarafa Collaboration Platform | =7.1.0 | |
| Zarafa Collaboration Platform | =7.1.1 | |
| Zarafa Collaboration Platform | =7.1.2 | |
| Zarafa Collaboration Platform | =7.1.3 | |
| Zarafa Collaboration Platform | =7.1.4 | |
| Zarafa Collaboration Platform | =7.1.5 | |
| Zarafa Collaboration Platform | =7.1.6 | |
| Zarafa Collaboration Platform | =7.1.7 | |
| Zarafa Collaboration Platform | =7.1.8 | |
| Zarafa Collaboration Platform | =7.1.9 | |
| Zarafa Collaboration Platform | =7.1.10 | |
| Zarafa Collaboration Platform | =7.1.11 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- http://oss-security.openwall.org/wiki/mailing-lists/distros
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=1139442#c3
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=1139442#c4
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=1139442#c5
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=1139442#c7
- http://doc.zarafa.com/trunk/Support_Lifecycle_Policy/en-US/html/_major_release_cycle.html
- https://jira.zarafa.com/browse/ZCP/?selectedTab=com.atlassian.jira.jira-projects-plugin:roadmap-panel
- https://download.zarafa.com/community/beta/7.1/
- http://download.zarafa.com/community/beta/WebApp/2.0/
- http://download.zarafa.com/community/beta/7.2/changelog-7.2.txt
- http://download.zarafa.com/community/beta/7.2/7.2.0beta1-47004/
- http://seclists.org/oss-sec/2014/q4/953
- https://access.redhat.com/security/cve/CVE-2014-9465
- http://seclists.org/oss-sec/2015/q1/16
- https://bugzilla.redhat.com/show_bug.cgi?id=1139442
- http://advisories.mageia.org/MGASA-2015-0049.html
- http://download.zarafa.com/community/beta/7.1/changelog-7.1.txt
- http://lists.fedoraproject.org/pipermail/package-announce/2015-April/156112.html
- http://lists.fedoraproject.org/pipermail/package-announce/2015-April/156228.html
- http://security.robert-scheck.de/cve-2014-9465-zarafa/
- http://www.mandriva.com/security/advisories?name=MDVSA-2015:040
- http://www.openwall.com/lists/oss-security/2014/12/07/2
- http://www.openwall.com/lists/oss-security/2015/01/03/10
- https://jira.zarafa.com/browse/ZCP-12596
- collector/redhat-bugzilla
- alias/CVE-2014-9465
- agent/weakness
- agent/references
- agent/severity
- agent/author
- agent/description
- agent/type
- agent/event
- agent/first-publish-date
- agent/last-modified-date
- agent/tags
- agent/softwarecombine
- collector/nvd-index
- agent/software-canonical-lookup-request
- package-manager/redhat
- vendor/fedoraproject
- canonical/fedoraproject fedora
- version/fedoraproject fedora/20
- version/fedoraproject fedora/21
- vendor/zarafa
- canonical/zarafa webapp
- version/zarafa webapp/2.0
- canonical/zarafa collaboration platform
- version/zarafa collaboration platform/7.0.0
- version/zarafa collaboration platform/7.0.1
- version/zarafa collaboration platform/7.0.2
- version/zarafa collaboration platform/7.0.3
- version/zarafa collaboration platform/7.0.4
- version/zarafa collaboration platform/7.0.5
- version/zarafa collaboration platform/7.0.6
- version/zarafa collaboration platform/7.0.7
- version/zarafa collaboration platform/7.0.8
- version/zarafa collaboration platform/7.0.9
- version/zarafa collaboration platform/7.0.10
- version/zarafa collaboration platform/7.0.11
- version/zarafa collaboration platform/7.0.12
- version/zarafa collaboration platform/7.0.13
- version/zarafa collaboration platform/7.1.0
- version/zarafa collaboration platform/7.1.1
- version/zarafa collaboration platform/7.1.2
- version/zarafa collaboration platform/7.1.3
- version/zarafa collaboration platform/7.1.4
- version/zarafa collaboration platform/7.1.5
- version/zarafa collaboration platform/7.1.6
- version/zarafa collaboration platform/7.1.7
- version/zarafa collaboration platform/7.1.8
- version/zarafa collaboration platform/7.1.9
- version/zarafa collaboration platform/7.1.10
- version/zarafa collaboration platform/7.1.11