On Thu, October 14, 2021 18:09, Paul Lesniewski wrote:
. . .
> See: https://nvd.nist.gov/vuln/detail/CVE-2020-14933#match-5399106
>
> Has this been patched?
There is no vulnerability here. Per OWASP:
https://owasp.org/www-community/vulnerabilities/PHP_Object_Injection
=====
In order to successfully exploit a PHP Object Injection vulnerability two
conditions must be met:
The application must have a class which implements a PHP magic method
(such as __wakeup or __destruct) that can be used to carry out malicious
attacks, or to start a “POP chain”.
All of the classes used during the attack must be declared when the
vulnerable unserialize() is being called, otherwise object autoloading
must be supported for such classes.
=====
SquirrelMail doesn't qualify for that scenario. Whoever accepted/assigned
this CVE seems to have only taken the word of the reporter, who has no
proof that I know of that there is any security issue. If anyone knows
differently, please get in touch.
I'll put something on our /security page to reflect the situation.
Cheers,
--
Paul Lesniewski
SquirrelMail Team
Please support Open Source Software by donating to SquirrelMail!
http://squirrelmail.org/donate_paul_lesniewski.php