[horde] Question on: (0Day) Horde Groupware Webmail Edition Sort sortpref Deserialization of Untrusted Data Remote Code Execution Vulnerability
Ralf Lang
ralf.lang at ralf-lang.de
Fri Oct 14 06:49:26 UTC 2022
Hello Jens,
Am 12.10.22 um 18:41 schrieb Jens Wahnes:
> Ralf Lang wrote:
>> I had a closer look at the desirable values for this preference.
>> In this specific case we need not argue if it is actually feasible
>> for a regular user to inject malicious data.
>> The desirable unserialization result does not contain objects. Thus,
>> I can simply disallow any objects in the deserialisation result.
>>
>> I will provide a patch either tonight or tomorrow.
>
> Thank you for taking the time to look into this.
> I'm looking forward to your patch.
>
>
> Jens
This patch addresses the immediate issue of deserializing malicious
content in Prefs.php.
https://github.com/horde/imp/pull/10/files
You can apply it to any installation running on PHP 7.0 or newer. Users
of the composer-based maintaina fork will automatically get it with the
next update.
https://caniphp.com/?s=filtered+unserialize
I intend to follow up on this with a more general solution very soon.
Regards
Ralf
More information about the horde
mailing list