[horde] Question on: (0Day) Horde Groupware Webmail Edition Sort sortpref Deserialization of Untrusted Data Remote Code Execution Vulnerability

[Ralf Lang]

Hello everybody,

Am 12.10.2022 um 15:57 schrieb Ralf Lang:
> Hello Frank/Jens,
>
> Am 12.10.2022 um 15:02 schrieb Jens Wahnes:
>> Frank Richter wrote:
>>> I stumbled over this: 
>>> https://www.zerodayinitiative.com/advisories/ZDI-20-1051/
>>> Ist this one fixed in the current versions?
>>
>> The report mentions that the flaw is in "Sort.php". If that 
>> information is correct, then the flaw still exists, because 
>> "Sort.php" has not been updated since 2017 but the bug was reported 
>> to have existed in 2020.
>>
>> See <https://github.com/horde/imp/commits/master/lib/Prefs/Sort.php> 
>> or 
>> <https://github.com/horde/imp/commits/FRAMEWORK_5_2/lib/Prefs/Sort.php> 
>> for a history of updates to "Sort.php".
>
> At first glance this report seems to be misleading. The unserialized 
> value in question is checked for being a regular array. sortpref is 
> not exposed in the user prefs UI. The code for setting the pref in 
> Mailbox.php also does not offer an obvious way for the user to 
> manipulate the content of that to-be-serialized value.
>
> I will have a closer look later today.
> In case you feel at risk, you can temporarily lock the pref in 
> prefs.local.php. I will keep you posted on this issue.

I had a closer look at the desirable values for this preference.
In this specific case we need not argue if it is actually feasible for a 
regular user to inject malicious data.
The desirable unserialization result does not contain objects. Thus, I 
can simply disallow any objects in the deserialisation result.

I will provide a patch either tonight or tomorrow.

Regards,


Ralf