oss-sec mailing list archives

Previous By Date Next
Previous By Thread Next

Squirrelmail: Use of unserialize() on user data

From: Hanno Böck <hanno () hboeck de>
Date: Sat, 20 Jun 2020 10:47:01 +0200
Hi,

The PHP-based webmail tool Squirrelmail uses unserialize() for
untrusted data.

unserialize() is generally not considered safe for this, PHP does not
treat memory safety issues in unserialize as security bugs since a
while and there are other attacks.

In compose.php [1] you can see that squirrelmail uses unserialize on
$mailtodata, which directly comes from a GET variable.

This data usually comes from the mailto.php script which opens a mail
compose interface with a passed mail address.

I've written a patch to convert this to json_encode/json_decode [2].

Unfortunately this is not the only place using unserialize on untrusted
data, later in the same file you can see that $attachments is also
parsed with unserialize, which comes from POST data, thus also
user-controlled. Trying to patch this with a similar strategy broke the
attachment functionality. If someone else wants to give it a try happy
to accept patches. (I'm collecting squirrelmail patches that avoid
warnings, add compatibility to latest PHP versions and fix security
issues here [3]. For reasons unclear to me the squirrelmail developers
only irregularly answer when I send patches and seem to ignore some of
these issues. While they haven't made a release in a long time, they
still sometimes fix security issues in their svn repo.)

It is unclear to me how big of a risk these issues are. There are some
attack strategies on unserialize that involve constructors of objects
[4], but the squirrelmail code doesn't have many objects, so it is
unclear if this is a feasible attack strategy.

I had reported the unserialize security issue to Squirrelmail on May
23rd. Unfortunately I haven't received a reply.



[1]
https://svn.code.sf.net/p/squirrelmail/code/branches/SM-1_4-STABLE/squirrelmail/src/compose.php
[2]
https://github.com/hannob/squirrelpatches/blob/main/patches/squirrelmail-security-mailto-avoid-unserialize.diff
[3] https://github.com/hannob/squirrelpatches
[4] https://blog.ripstech.com/2018/php-object-injection/
-- 
Hanno Böck
https://hboeck.de/
Previous By Date Next
Previous By Thread Next

Current thread: