b1gMail-OSS Deserialization Vulnerability in Admin Page Users Management

A deserialization vulnerability has been identified in b1gMail versions through 7.4.1-pl1. The issue resides in the admin page file 'src/admin/users.php', where the 'query' parameter is manipulated, leading to unsafe deserialization of data. This vulnerability can be exploited remotely and requires administrative privileges for access. Exploitation is feasible through a GET request, potentially leveraging Cross-Site Scripting (XSS) or similar vectors.

Impact

Exploitation of this vulnerability allows for PHP Object Injection, which can be used to delete arbitrary files from the server. Such actions could disrupt service by removing critical configuration files or .htaccess files that protect certain directories.

Reproduction

To reproduce this vulnerability, log into the b1gMail admin interface and navigate to the users management page. Once there, send a GET request that includes a crafted 'query' parameter. This parameter should be serialized data that, when deserialized by the application, exploits the object injection vulnerability. After the request is processed, the injected payload can be used to delete specified files on the server, such as arbitrary .txt files or important configuration files, which would cause a denial-of-service condition.

Remediation

Users are advised to upgrade to b1gMail version 7.4.1-pl2, which addresses this vulnerability by replacing the use of 'unserialize' with 'json_decode', a safer alternative that prevents object injection. The update is available on the b1gMail GitHub releases page.