On Thu, October 14, 2021 10:09 pm, Paul Lesniewski wrote: > On Thu, October 14, 2021 7:28 pm, James B. Byrne via squirrelmail-users > wrote: >> See: https://nvd.nist.gov/vuln/detail/CVE-2020-14933#match-5399106 >> >> Has this been patched? > > There is no vulnerability here. Per OWASP: > > https://owasp.org/www-community/vulnerabilities/PHP_Object_Injection > > ===== > In order to successfully exploit a PHP Object Injection vulnerability two > conditions must be met: > > The application must have a class which implements a PHP magic method > (such as __wakeup or __destruct) that can be used to carry out malicious > attacks, or to start a “POP chain”. > All of the classes used during the attack must be declared when the > vulnerable unserialize() is being called, otherwise object autoloading > must be supported for such classes. > ===== > > SquirrelMail doesn't qualify for that scenario. Whoever accepted/assigned > this CVE seems to have only taken the word of the reporter, who has no > proof that I know of that there is any security issue. If anyone knows > differently, please get in touch. > > I'll put something on our /security page to reflect the situation. See: https://squirrelmail.org/security/issue.php?d=2021-10-15 -- Paul Lesniewski SquirrelMail Team Please support Open Source Software by donating to SquirrelMail! http://squirrelmail.org/donate_paul_lesniewski.php ----- squirrelmail-users mailing list Posting guidelines: http://squirrelmail.org/postingguidelines List address: squirrelmail-users@xxxxxxxxxxxxxxxxxxxxx List archives: http://news.gmane.org/gmane.mail.squirrelmail.user List info (subscribe/unsubscribe/change options): https://lists.sourceforge.net/lists/listinfo/squirrelmail-users
