[horde] Question on: (0Day) Horde Groupware Webmail Edition Sort sortpref Deserialization of Untrusted Data Remote Code Execution Vulnerability
Ralf Lang
ralf.lang at ralf-lang.de
Wed Oct 12 13:57:50 UTC 2022
Hello Frank/Jens,
Am 12.10.2022 um 15:02 schrieb Jens Wahnes:
> Frank Richter wrote:
>> I stumbled over this:
>> https://www.zerodayinitiative.com/advisories/ZDI-20-1051/
>> Ist this one fixed in the current versions?
>
> The report mentions that the flaw is in "Sort.php". If that
> information is correct, then the flaw still exists, because "Sort.php"
> has not been updated since 2017 but the bug was reported to have
> existed in 2020.
>
> See <https://github.com/horde/imp/commits/master/lib/Prefs/Sort.php>
> or
> <https://github.com/horde/imp/commits/FRAMEWORK_5_2/lib/Prefs/Sort.php>
> for a history of updates to "Sort.php".
At first glance this report seems to be misleading. The unserialized
value in question is checked for being a regular array. sortpref is not
exposed in the user prefs UI. The code for setting the pref in
Mailbox.php also does not offer an obvious way for the user to
manipulate the content of that to-be-serialized value.
I will have a closer look later today.
In case you feel at risk, you can temporarily lock the pref in
prefs.local.php. I will keep you posted on this issue.
Regards
Ralf
More information about the horde
mailing list