SquirrelMail Command Execution Vulnerability Network Vulnerability

Summary

This host is running SquirrelMail Web application and is prone to command execution vulnerability.

Impact

Successful exploitation will let the attacker execute arbitrary commands into the context of the affected web mailing application and can conduct cross site scripting, session fixation or phishing attacks. Impact Level: Application

Solution

Upgrade to SquirrelMail version 1.4.19 or later http://squirrelmail.org/download.php

Insight

The flaw is due to improper handling of arbitrary commands in map_yp_alias function in functions/imap_general.php file via shell metacharacters in a username string that is used by the ypmatch program.

Affected

SquirrelMail version prior to 1.4.19

References

http://release.debian.org/proposed-updates/stable_diffs/squirrelmail_1.4.15-4+lenny2.debdiff
http://secunia.com/advisories/35140
http://www.debian.org/security/2009/dsa-1802

Updated on 2015-03-25

Severity

Classification

CVE CVE-2009-1381

CVSS	Base Score: 6.8 AV:N/AC:M/Au:N/C:P/I:P/A:P

Related Vulnerabilities

Apache mod_proxy_ajp Information Disclosure Vulnerability
Adobe ColdFusion Multiple Vulnerabilities-03 May-2014
@Mail 'MailType' Parameter Cross Site Scripting Vulnerability
Apache Open For Business HTML injection vulnerability
Ampache Reflected Cross Site Scripting Vulnerability

Take action and discover your vulnerabilities