[horde] Question on: (0Day) Horde Groupware Webmail Edition Sort sortpref Deserialization of Untrusted Data Remote Code Execution Vulnerability
ralf.lang at ralf-lang.de
Fri Oct 14 06:49:26 UTC 2022
Am 12.10.22 um 18:41 schrieb Jens Wahnes:
> Ralf Lang wrote:
>> I had a closer look at the desirable values for this preference.
>> In this specific case we need not argue if it is actually feasible
>> for a regular user to inject malicious data.
>> The desirable unserialization result does not contain objects. Thus,
>> I can simply disallow any objects in the deserialisation result.
>> I will provide a patch either tonight or tomorrow.
> Thank you for taking the time to look into this.
> I'm looking forward to your patch.
This patch addresses the immediate issue of deserializing malicious
content in Prefs.php.
You can apply it to any installation running on PHP 7.0 or newer. Users
of the composer-based maintaina fork will automatically get it with the
I intend to follow up on this with a more general solution very soon.
More information about the horde