[horde] Question on: (0Day) Horde Groupware Webmail Edition Sort sortpref Deserialization of Untrusted Data Remote Code Execution Vulnerability

Ralf Lang ralf.lang at ralf-lang.de
Wed Oct 12 13:57:50 UTC 2022

Hello Frank/Jens,

Am 12.10.2022 um 15:02 schrieb Jens Wahnes:
> Frank Richter wrote:
>> I stumbled over this: 
>> https://www.zerodayinitiative.com/advisories/ZDI-20-1051/
>> Ist this one fixed in the current versions?
> The report mentions that the flaw is in "Sort.php". If that 
> information is correct, then the flaw still exists, because "Sort.php" 
> has not been updated since 2017 but the bug was reported to have 
> existed in 2020.
> See <https://github.com/horde/imp/commits/master/lib/Prefs/Sort.php> 
> or 
> <https://github.com/horde/imp/commits/FRAMEWORK_5_2/lib/Prefs/Sort.php> 
> for a history of updates to "Sort.php".

At first glance this report seems to be misleading. The unserialized 
value in question is checked for being a regular array. sortpref is not 
exposed in the user prefs UI. The code for setting the pref in 
Mailbox.php also does not offer an obvious way for the user to 
manipulate the content of that to-be-serialized value.

I will have a closer look later today.
In case you feel at risk, you can temporarily lock the pref in 
prefs.local.php. I will keep you posted on this issue.



More information about the horde mailing list