On Thu, October 14, 2021 7:28 pm, James B. Byrne via squirrelmail-users wrote: > See: https://nvd.nist.gov/vuln/detail/CVE-2020-14933#match-5399106 > > Has this been patched? There is no vulnerability here. Per OWASP: https://owasp.org/www-community/vulnerabilities/PHP_Object_Injection ===== In order to successfully exploit a PHP Object Injection vulnerability two conditions must be met: The application must have a class which implements a PHP magic method (such as __wakeup or __destruct) that can be used to carry out malicious attacks, or to start a “POP chain”. All of the classes used during the attack must be declared when the vulnerable unserialize() is being called, otherwise object autoloading must be supported for such classes. ===== SquirrelMail doesn't qualify for that scenario. Whoever accepted/assigned this CVE seems to have only taken the word of the reporter, who has no proof that I know of that there is any security issue. If anyone knows differently, please get in touch. I'll put something on our /security page to reflect the situation. Cheers, -- Paul Lesniewski SquirrelMail Team Please support Open Source Software by donating to SquirrelMail! http://squirrelmail.org/donate_paul_lesniewski.php ----- squirrelmail-users mailing list Posting guidelines: http://squirrelmail.org/postingguidelines List address: squirrelmail-users@xxxxxxxxxxxxxxxxxxxxx List archives: http://news.gmane.org/gmane.mail.squirrelmail.user List info (subscribe/unsubscribe/change options): https://lists.sourceforge.net/lists/listinfo/squirrelmail-users
