Mandriva Linux Security Advisory 2014-182 – Robert Scheck reported that Zarafa’s WebAccess stored session information, including login credentials, on-disk in PHP session files. This session file would contain a user’s username and password to the Zarafa IMAP server. Robert Scheck discovered that the Zarafa Collaboration Platform has multiple incorrect default permissions.