Date: Sat, 20 Jun 2020 10:47:01 +0200 From: Hanno Böck <hanno@...eck.de> To: oss-security <oss-security@...ts.openwall.com> Subject: Squirrelmail: Use of unserialize() on user data Hi, The PHP-based webmail tool Squirrelmail uses unserialize() for untrusted data. unserialize() is generally not considered safe for this, PHP does not treat memory safety issues in unserialize as security bugs since a while and there are other attacks. In compose.php  you can see that squirrelmail uses unserialize on $mailtodata, which directly comes from a GET variable. This data usually comes from the mailto.php script which opens a mail compose interface with a passed mail address. I've written a patch to convert this to json_encode/json_decode . Unfortunately this is not the only place using unserialize on untrusted data, later in the same file you can see that $attachments is also parsed with unserialize, which comes from POST data, thus also user-controlled. Trying to patch this with a similar strategy broke the attachment functionality. If someone else wants to give it a try happy to accept patches. (I'm collecting squirrelmail patches that avoid warnings, add compatibility to latest PHP versions and fix security issues here . For reasons unclear to me the squirrelmail developers only irregularly answer when I send patches and seem to ignore some of these issues. While they haven't made a release in a long time, they still sometimes fix security issues in their svn repo.) It is unclear to me how big of a risk these issues are. There are some attack strategies on unserialize that involve constructors of objects , but the squirrelmail code doesn't have many objects, so it is unclear if this is a feasible attack strategy. I had reported the unserialize security issue to Squirrelmail on May 23rd. Unfortunately I haven't received a reply.  https://svn.code.sf.net/p/squirrelmail/code/branches/SM-1_4-STABLE/squirrelmail/src/compose.php  https://github.com/hannob/squirrelpatches/blob/main/patches/squirrelmail-security-mailto-avoid-unserialize.diff  https://github.com/hannob/squirrelpatches  https://blog.ripstech.com/2018/php-object-injection/ -- Hanno Böck https://hboeck.de/
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.