[horde] Question on: (0Day) Horde Groupware Webmail Edition Sort sortpref Deserialization of Untrusted Data Remote Code Execution Vulnerability
Ralf Lang
ralf.lang at ralf-lang.de
Wed Oct 12 15:14:21 UTC 2022
Hello everybody,
Am 12.10.2022 um 15:57 schrieb Ralf Lang:
> Hello Frank/Jens,
>
> Am 12.10.2022 um 15:02 schrieb Jens Wahnes:
>> Frank Richter wrote:
>>> I stumbled over this:
>>> https://www.zerodayinitiative.com/advisories/ZDI-20-1051/
>>> Ist this one fixed in the current versions?
>>
>> The report mentions that the flaw is in "Sort.php". If that
>> information is correct, then the flaw still exists, because
>> "Sort.php" has not been updated since 2017 but the bug was reported
>> to have existed in 2020.
>>
>> See <https://github.com/horde/imp/commits/master/lib/Prefs/Sort.php>
>> or
>> <https://github.com/horde/imp/commits/FRAMEWORK_5_2/lib/Prefs/Sort.php>
>> for a history of updates to "Sort.php".
>
> At first glance this report seems to be misleading. The unserialized
> value in question is checked for being a regular array. sortpref is
> not exposed in the user prefs UI. The code for setting the pref in
> Mailbox.php also does not offer an obvious way for the user to
> manipulate the content of that to-be-serialized value.
>
> I will have a closer look later today.
> In case you feel at risk, you can temporarily lock the pref in
> prefs.local.php. I will keep you posted on this issue.
I had a closer look at the desirable values for this preference.
In this specific case we need not argue if it is actually feasible for a
regular user to inject malicious data.
The desirable unserialization result does not contain objects. Thus, I
can simply disallow any objects in the deserialisation result.
I will provide a patch either tonight or tomorrow.
Regards,
Ralf
More information about the horde
mailing list