[horde] Question on: (0Day) Horde Groupware Webmail Edition Sort sortpref Deserialization of Untrusted Data Remote Code Execution Vulnerability

Jens Wahnes wahnes at uni-koeln.de
Wed Oct 12 16:41:52 UTC 2022

Ralf Lang wrote:
> I had a closer look at the desirable values for this preference.
> In this specific case we need not argue if it is actually feasible for a 
> regular user to inject malicious data.
> The desirable unserialization result does not contain objects. Thus, I 
> can simply disallow any objects in the deserialisation result.
> I will provide a patch either tonight or tomorrow.

Thank you for taking the time to look into this.
I'm looking forward to your patch.


-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 5324 bytes
Desc: S/MIME Cryptographic Signature
URL: <https://lists.horde.org/archives/horde/attachments/20221012/3376bc6a/attachment-0001.bin>

More information about the horde mailing list