Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [day] [month] [year] [list]
Date: Sat, 20 Jun 2020 10:47:01 +0200
From: Hanno Böck <hanno@...eck.de>
To: oss-security <oss-security@...ts.openwall.com>
Subject: Squirrelmail: Use of unserialize() on user data

Hi,

The PHP-based webmail tool Squirrelmail uses unserialize() for
untrusted data.

unserialize() is generally not considered safe for this, PHP does not
treat memory safety issues in unserialize as security bugs since a
while and there are other attacks.

In compose.php [1] you can see that squirrelmail uses unserialize on
$mailtodata, which directly comes from a GET variable.

This data usually comes from the mailto.php script which opens a mail
compose interface with a passed mail address.

I've written a patch to convert this to json_encode/json_decode [2].

Unfortunately this is not the only place using unserialize on untrusted
data, later in the same file you can see that $attachments is also
parsed with unserialize, which comes from POST data, thus also
user-controlled. Trying to patch this with a similar strategy broke the
attachment functionality. If someone else wants to give it a try happy
to accept patches. (I'm collecting squirrelmail patches that avoid
warnings, add compatibility to latest PHP versions and fix security
issues here [3]. For reasons unclear to me the squirrelmail developers
only irregularly answer when I send patches and seem to ignore some of
these issues. While they haven't made a release in a long time, they
still sometimes fix security issues in their svn repo.)

It is unclear to me how big of a risk these issues are. There are some
attack strategies on unserialize that involve constructors of objects
[4], but the squirrelmail code doesn't have many objects, so it is
unclear if this is a feasible attack strategy.

I had reported the unserialize security issue to Squirrelmail on May
23rd. Unfortunately I haven't received a reply.



[1]
https://svn.code.sf.net/p/squirrelmail/code/branches/SM-1_4-STABLE/squirrelmail/src/compose.php
[2]
https://github.com/hannob/squirrelpatches/blob/main/patches/squirrelmail-security-mailto-avoid-unserialize.diff
[3] https://github.com/hannob/squirrelpatches
[4] https://blog.ripstech.com/2018/php-object-injection/
-- 
Hanno Böck
https://hboeck.de/

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.