[horde] Question on: (0Day) Horde Groupware Webmail Edition Sort sortpref Deserialization of Untrusted Data Remote Code Execution Vulnerability
Jens Wahnes
wahnes at uni-koeln.de
Wed Oct 12 16:41:52 UTC 2022
Ralf Lang wrote:
> I had a closer look at the desirable values for this preference.
> In this specific case we need not argue if it is actually feasible for a
> regular user to inject malicious data.
> The desirable unserialization result does not contain objects. Thus, I
> can simply disallow any objects in the deserialisation result.
>
> I will provide a patch either tonight or tomorrow.
Thank you for taking the time to look into this.
I'm looking forward to your patch.
Jens
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 5324 bytes
Desc: S/MIME Cryptographic Signature
URL: <https://lists.horde.org/archives/horde/attachments/20221012/3376bc6a/attachment-0001.bin>
More information about the horde
mailing list