oss-sec mailing list archives
Squirrelmail: Use of unserialize() on user data
From: Hanno Böck <hanno () hboeck de>
Date: Sat, 20 Jun 2020 10:47:01 +0200
Hi, The PHP-based webmail tool Squirrelmail uses unserialize() for untrusted data. unserialize() is generally not considered safe for this, PHP does not treat memory safety issues in unserialize as security bugs since a while and there are other attacks. In compose.php [1] you can see that squirrelmail uses unserialize on $mailtodata, which directly comes from a GET variable. This data usually comes from the mailto.php script which opens a mail compose interface with a passed mail address. I've written a patch to convert this to json_encode/json_decode [2]. Unfortunately this is not the only place using unserialize on untrusted data, later in the same file you can see that $attachments is also parsed with unserialize, which comes from POST data, thus also user-controlled. Trying to patch this with a similar strategy broke the attachment functionality. If someone else wants to give it a try happy to accept patches. (I'm collecting squirrelmail patches that avoid warnings, add compatibility to latest PHP versions and fix security issues here [3]. For reasons unclear to me the squirrelmail developers only irregularly answer when I send patches and seem to ignore some of these issues. While they haven't made a release in a long time, they still sometimes fix security issues in their svn repo.) It is unclear to me how big of a risk these issues are. There are some attack strategies on unserialize that involve constructors of objects [4], but the squirrelmail code doesn't have many objects, so it is unclear if this is a feasible attack strategy. I had reported the unserialize security issue to Squirrelmail on May 23rd. Unfortunately I haven't received a reply. [1] https://svn.code.sf.net/p/squirrelmail/code/branches/SM-1_4-STABLE/squirrelmail/src/compose.php [2] https://github.com/hannob/squirrelpatches/blob/main/patches/squirrelmail-security-mailto-avoid-unserialize.diff [3] https://github.com/hannob/squirrelpatches [4] https://blog.ripstech.com/2018/php-object-injection/ -- Hanno Böck https://hboeck.de/
Current thread:
- Squirrelmail: Use of unserialize() on user data Hanno Böck (Jun 20)