CVE request: Unauthenticated remote disk space exhaustion in Zarafa WebAccess and WebApp

[Robert Scheck <robert () fedoraproject org>]

Good afternoon,

I discovered a flaw in Zarafa WebAccess >= 7.0.0 and Zarafa WebApp (any
version) that could allow a remote unauthenticated attacker to exhaust the
disk space of /tmp. Depending on the setup /tmp might be on / (e.g. RHEL).
Zarafa WebApp is a fork and the successor of the Zarafa WebAccess.

The affected files are /usr/share/zarafa-webaccess/senddocument.php as well
as /usr/share/zarafa-webapp/senddocument.php. The default upload size is 30
MB (via /etc/httpd/conf.d/zarafa-webaccess.conf / zarafa-webapp.conf).

I do not know if $tmpname is predictable (for race conditions) but likely
not. The 2nd parameter is only a prefix according to the PHP documentation
of tempnam().

Upstream removed the file "senddocument.php" (which is neither referenced
nor used anywhere in the code) as solution and thus followed my suggestion
for Zarafa WebApp 2.0 beta 3 (SVN 46848) and Zarafa WebAccess 7.2.0 beta 1
(SVN 47004).

See https://bugzilla.redhat.com/show_bug.cgi?id=1139442 for whole history.


With kind regards

Robert Scheck
-- 
Fedora Project * Fedora Ambassador * Fedora Mentor * Fedora Packager

Attachment: _bin
Description: