Home    |    View Topics    |    Search    |    Contact Us    |   



Category:   Application (E-mail Server)  >   SquirrelMail Vendors:   SquirrelMail Development Team
SquirrelMail Web-Based Mail Software Allows Remote Users to Execute PHP Commands on the Server
SecurityTracker Alert ID:  1001410
SecurityTracker URL:
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Apr 23 2001
Impact:   Execution of arbitrary code via network
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): prior to 1.0.5
Description:   Secure Reality released a preliminary security advisory for SquirrelMail's web-based mail software warning that it allows remote users to execute commands on the server.

The vendor confirms that this vulnerability allows for any remote user to execute any PHP script on the web server without needing to log in.

Impact:   A remote user can execute any PHP script on the web server without any authentication.
Solution:   The vendor has released a fixed version (1.0.6).
Vendor URL: (Links to External Site)
Cause:   Access control error
Underlying OS:  Linux (Any), UNIX (Any)

Message History:   This archive entry has one or more follow-up message(s) listed below.
(Additional Details and Exploit Methods are Presented) Re: SquirrelMail Web-Based Mail Software Allows Remote Users to Execute PHP Commands on the Server
Additional details are provided and exploit details are explained.

 Source Message Contents

Subject:  SquirrelMail vulnerability

Secure Reality Pty Ltd. Security Pre-Advisory #3 (SRPRE00003)

Remote command execution vulnerabilities in SquirrelMail


This is a pre-release. This vulnerability will be discussed in detail
Shaun Clowes' speech at the Black Hat briefings in Asia in the week of
23rd of April. A full advisory will be issued following the conference

SquirrelMail 1.4

All prior versions are almost certainly vulnerable but not tested

Remote command execution by unauthenticated remote users

The Authors have fixed the issues and issued a new version, 1.5, all
users are
strongly advised to upgrade.

SquirrelMail 1.5:

Our thanks to the SquirrelMail team for their outstanding assistance in
and efficiently correcting this problem

Advice, directions and instructions on security vulnerabilities in this
advisory do not constitute: an endorsement of illegal behavior; a
that protection measures will work; an endorsement of any product or
solution or recommendations on behalf of Secure Reality Pty Ltd. Content
provided as is and Secure Reality Pty Ltd does not accept responsibility
any damage or injury caused as a result of its use.


Go to the Top of This SecurityTracker Archive Page

Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2022, LLC