Has Squirrelmail CVE-2020-14933 been patched?

I am dealing with our PCI auditors. Since we use Squirrelmail for our company email client CVE-2020-14933 is an issue. The most recent version of SM in ports is squirrelmail-php73-20200422. I speculate that this means that the port is based on the SM source as of 2020-04-22. However, CVE-2020-14933 is shown as being reported on 2020-06-26.

Is there a patch for this?

 
Per the SquirrelMail mailing list from the chief maintainer:
Code:
On Thu, October 14, 2021 18:09, Paul Lesniewski wrote:
. . .
> See: https://nvd.nist.gov/vuln/detail/CVE-2020-14933#match-5399106
>
> Has this been patched?

There is no vulnerability here.  Per OWASP:

https://owasp.org/www-community/vulnerabilities/PHP_Object_Injection

=====
In order to successfully exploit a PHP Object Injection vulnerability two
conditions must be met:

  The application must have a class which implements a PHP magic method
(such as __wakeup or __destruct) that can be used to carry out malicious
attacks, or to start a “POP chain”.
  All of the classes used during the attack must be declared when the
vulnerable unserialize() is being called, otherwise object autoloading
must be supported for such classes.
=====

SquirrelMail doesn't qualify for that scenario.  Whoever accepted/assigned
this CVE seems to have only taken the word of the reporter, who has no
proof that I know of that there is any security issue.  If anyone knows
differently, please get in touch.

I'll put something on our /security page to reflect the situation.

Cheers,
--
Paul Lesniewski
SquirrelMail Team
Please support Open Source Software by donating to SquirrelMail!
http://squirrelmail.org/donate_paul_lesniewski.php
 
Make sure to post that response to the PR too. Or else the maintainer might be needlessly trying to get the same information.
 
Back
Top