[horde] Question on: (0Day) Horde Groupware Webmail Edition Sort sortpref Deserialization of Untrusted Data Remote Code Execution Vulnerability

Ralf Lang ralf.lang at ralf-lang.de
Fri Oct 14 06:49:26 UTC 2022

Hello Jens,

Am 12.10.22 um 18:41 schrieb Jens Wahnes:
> Ralf Lang wrote:
>> I had a closer look at the desirable values for this preference.
>> In this specific case we need not argue if it is actually feasible 
>> for a regular user to inject malicious data.
>> The desirable unserialization result does not contain objects. Thus, 
>> I can simply disallow any objects in the deserialisation result.
>> I will provide a patch either tonight or tomorrow.
> Thank you for taking the time to look into this.
> I'm looking forward to your patch.
> Jens

This patch addresses the immediate issue of deserializing malicious 
content in Prefs.php.


You can apply it to any installation running on PHP 7.0 or newer. Users 
of the composer-based maintaina fork will automatically get it with the 
next update.


I intend to follow up on this with a more general solution very soon.



More information about the horde mailing list