Re: squirrelmail CVE-2020-14933

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]


On Fri, October 15, 2021 2:36 pm, James B. Byrne wrote:
> n Thu, October 14, 2021 18:09, Paul Lesniewski wrote:
>> On Thu, October 14, 2021 7:28 pm, James B. Byrne via squirrelmail-users
>> wrote:
>>> See:
>>> Has this been patched?
>> There is no vulnerability here.  Per OWASP:
>> =====
>> In order to successfully exploit a PHP Object Injection vulnerability
>> two
>> conditions must be met:
>>   The application must have a class which implements a PHP magic method
>> (such as __wakeup or __destruct) that can be used to carry out malicious
>> attacks, or to start a �POP chain�.
>>   All of the classes used during the attack must be declared when the
>> vulnerable unserialize() is being called, otherwise object autoloading
>> must be supported for such classes.
>> =====
>> SquirrelMail doesn't qualify for that scenario.  Whoever
>> accepted/assigned
>> this CVE seems to have only taken the word of the reporter, who has no
>> proof that I know of that there is any security issue.  If anyone knows
>> differently, please get in touch.
>> I'll put something on our /security page to reflect the situation.
>> Cheers,
> My problem is that I am in the midst of a PCI audit; and we use
> SquirrelMail;
> and this CVE is an issue with them.  I doubt that either I or anyone else
> can
> convince the auditors to ignore what is on the NIST website identified as
> a
> Critical error respecting SM.  That said, I will show them your response.
> One
> never knows what can happen when dealing with people having much authority
> and
> little knowledge.
> I checked some Linux distros and the seem to have issued some sort of
> patch to
> deal with this.  I have seen a request made to the FreeBSD bug tracker to
> deal
> with this as well.
> I need something done to address this CVE, either by having it removed
> from
> NIST as invalid or through some sort of patch, meaningless or not, that
> convinces NIST that the issue is resolved.  That probably requires a new
> CPE,
> and that will no doubt require the FreeBSD port maintainer to issue a
> version
> upgrade.  Otherwise  I am going to be forced into an unwanted, and
> evidently
> unnecessary, migration.  For which I have neither the time nor resources
> to
> effect.

This was on my radar, but given your situation, I went ahead and contacted
both NIST and MITRE just now.  If you have the FreeBSD maintainer's
contact info, I can work with that person too, but I don't understand what
you need from that person?  Maybe you want them to invalidate/reject the
ticket on their bug tracker?

Paul Lesniewski
SquirrelMail Team
Please support Open Source Software by donating to SquirrelMail!

squirrelmail-users mailing list
Posting guidelines:
List address: squirrelmail-users@xxxxxxxxxxxxxxxxxxxxx
List archives:
List info (subscribe/unsubscribe/change options):

[Index of Archives]     [Video For Linux]     [Yosemite News]     [Yosemite Photos]     [gtk]     [KDE]     [Cyrus SASL]     [Gimp on Windows]     [Steve's Art]     [Webcams]

  Powered by Linux