Possible security issue with 7.4.0

[amtur8]

My client asked for a security audit and a page with a Powermail form gave this possible error.

PHP object deserialization of user-supplied data

It was determined that your web application is performing PHP object deserialization of user-supplied data. Arbitrary object deserialization is inherently unsafe, and should never be performed on untrusted data. Consult Web references section for more information about this issue. Impact

Web applications that accept untrusted data to deserialize could allow an attacker to perform different kinds of malicious attacks, such as Code Injection, SQL Injection, Path Traversal and Application Denial of Service, depending on the context. https://myserver.com/a-page POST (multipart) input tx_powermail_pi1[__trustedProperties] has the value a:2:{s:5:"field";a:13:{s:5:"objet";i:1;s:5:"prnom";i:1;s:3:"nom";i:1;s:14:"adressepostale";i:1;s:11:"appartement";i:1;s:5:"ville

This value looks like serialized PHP data.

I'm unsure if I should be alarmed by this. I'm pretty sure that the deserialization is done well, but I thought I'd say that here.

[einpraegsam]

Hi,

thx for your input. First of all this part is not part of powermail itself but part of extbase and fluid. Next, you should inform the TYPO3 security team when facing security issues: security@typo3.org Deserialization is really a pain but as far as I understand TYPO3 found a secure way. More information over the security team.

Thx, Alex