Home    |    View Topics    |    Search    |    Contact Us    |   



Category:   Application (E-mail Server)  >   SquirrelMail Vendors:   SquirrelMail Development Team
SquirrelMail Web-based Mail Server Lets Remote Users Execute Arbitrary Code on the Server
SecurityTracker Alert ID:  1003358
SecurityTracker URL:
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Jan 25 2002
Impact:   Execution of arbitrary code via network, User access via network
Fix Available:  Yes  Vendor Confirmed:  Yes  Exploit Included:  Yes  
Version(s): 1.2.2
Description:   A vulnerability was reported in SquirrelMail webmail server. A remote user can execute arbitrary commands on the server.

It is reported that the spell checker plugin (check_me.mod.php) allows a remote user to specify commands to be executed on the server. The following type of URL will reportedly trigger the vulnerability:


Impact:   A remote user can execute commands on the server with the privileges of the web server.
Solution:   The vendor has released a fixed version (1.2.4), available at:

Also, the following patch for 1.2.2 was supplied by a user:

Vendor URL: (Links to External Site)
Cause:   Input validation error
Underlying OS:  Linux (Any), UNIX (Any)

Message History:   None.

 Source Message Contents

Subject:  squirrelmail bug

Squirrelmail remote execute commands bug

Version Affected :

Squirrelmail is a webmail system, which allows users to send, get, read etc.
mails. It has some themes, plugins etc. One of the plugins has a very 
interesting piece of code :

from file check_me.mod.php :

$sqspell_command = $SQSPELL_APP[$sqspell_use_app];
$floc = "$attachment_dir/$username_sqspell_data.txt");
exec ("cat $floc | $sqspell_command", $sqspell_output);

Everything should be ok, but where this page includes config files, where 
are defined $attachment_dir and others ? Answer: Nowhere. We can set up 
variables $sqspell_command and $floc. Result ? We can execute any command
of course as a http serwer owner.

Exploit :




Go to the Top of This SecurityTracker Archive Page

Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2022, LLC