Home    |    View Topics    |    Search    |    Contact Us    |   



Category:   Application (E-mail Server)  >   SquirrelMail Vendors:   SquirrelMail Development Team
SquirrelMail May Execute Arbitrary Commands When Encrypting Mail to Specially Crafted Addresses
SecurityTracker Alert ID:  1008548
SecurityTracker URL:
CVE Reference:   CVE-2003-0990   (Links to External Site)
Updated:  Dec 27 2003
Original Entry Date:  Dec 24 2003
Impact:   Execution of arbitrary code via network, User access via network
Fix Available:  Yes  Vendor Confirmed:  Yes  Exploit Included:  Yes  
Version(s): prior to 1.4.2
Description:   An input validation vulnerability was reported in SquirrelMail. Arbitrary operating system commands may be executed when encrypting mail to specially crafted addresses.

Bugtraq Security Systems originally reported that the 'send_to_bcc' variable is not properly filtered. According to their report, a specially crafted 'To:' line that includes operating system commands can be executed with the privleges of the target web service when the target user clicks 'encrypt now'.

The report provided the following demonstration exploit line:

To: ;echo "YO, dudes. Static analysis ain't rocket science." >> /tmp/message;

[Editor's note: The vendor has since disputed aspects of the original report. The vendor states that the vulnerability resides in SquirrelMail and not in the GPG plugin.]

According to the vendor, SquirrelMail versions prior to 1.4.2 contain a flaw in the parseAddress() code in the attempted removal of the type of commands described in the Bugtraq Security Systems report. The vendor says that the described exploit will not work, but a modification of the described exploit may be successful with GPG Plugin version 1.1 and SquirrelMail version 1.4.0.

The original advisory is to be available at the following URL, but was not available at the time of this entry:

Impact:   Arbitrary operating system commands may be executed with the privileges of the target web service.
Solution:   The vendor reports that SquirrelMail 1.4.2 (released on October 01, 2003) corrects the problem.
Vendor URL: (Links to External Site)
Cause:   Input validation error
Underlying OS:  Linux (Any), UNIX (Any)

Message History:   None.

 Source Message Contents

[Original Message Not Available for Viewing]

Go to the Top of This SecurityTracker Archive Page

Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2022, LLC