Re: CVE request: Unauthenticated remote disk space exhaustion in Zarafa WebAccess and WebApp

[cve-assign () mitre org]

On Sun, 7 Dec 2014, Robert Scheck wrote:

> I discovered a flaw in Zarafa WebAccess >= 7.0.0 and Zarafa WebApp (any
> version) that could allow a remote unauthenticated attacker to exhaust the
> disk space of /tmp. Depending on the setup /tmp might be on / (e.g. RHEL).
> Zarafa WebApp is a fork and the successor of the Zarafa WebAccess.
>
> The affected files are /usr/share/zarafa-webaccess/senddocument.php as well
> as /usr/share/zarafa-webapp/senddocument.php. The default upload size is 30
> MB (via /etc/httpd/conf.d/zarafa-webaccess.conf / zarafa-webapp.conf).

Use CVE-2014-9465.

---

CVE assignment team, MITRE CVE Numbering Authority M/S M300
202 Burlington Road, Bedford, MA 01730 USA
[ PGP key available through http://cve.mitre.org/cve/request_id.html ]