The GOsa_Filter_Settings cookie in GONICUS GOsa 2.7.5.2 is vulnerable to PHP objection injection, which allows a remote authenticated attacker to perform file deletions (in the context of the user account that runs the web server) via a crafted cookie value, because unserialize is used to restore filter settings from a cookie.
Weakness
The product deserializes untrusted data without sufficiently ensuring that the resulting data will be valid.
Affected Software
| Name | Vendor | Start Version | End Version |
|---|---|---|---|
| Gosa | Gosa_project | 2.7.5.2 (including) | 2.7.5.2 (including) |
| Gosa | Ubuntu | bionic | * |
| Gosa | Ubuntu | disco | * |
| Gosa | Ubuntu | esm-apps/bionic | * |
| Gosa | Ubuntu | esm-apps/xenial | * |
| Gosa | Ubuntu | trusty | * |
| Gosa | Ubuntu | upstream | * |
| Gosa | Ubuntu | xenial | * |
Potential Mitigations
- Make fields transient to protect them from deserialization.
- An attempt to serialize and then deserialize a class containing transient fields will result in NULLs where the transient data should be. This is an excellent way to prevent time, environment-based, or sensitive variables from being carried over and used improperly.