Summary
This host is running SquirrelMail Web application and is prone to command execution vulnerability.
Impact
Successful exploitation will let the attacker execute arbitrary commands into the context of the affected web mailing application and can conduct cross site scripting, session fixation or phishing attacks.
Impact Level: Application
Solution
Upgrade to SquirrelMail version 1.4.19 or later
http://squirrelmail.org/download.php
Insight
The flaw is due to improper handling of arbitrary commands in map_yp_alias function in functions/imap_general.php file via shell metacharacters in a username string that is used by the ypmatch program.
Affected
SquirrelMail version prior to 1.4.19
References
Severity
Classification
-
CVE CVE-2009-1381 -
CVSS Base Score: 6.8
AV:N/AC:M/Au:N/C:P/I:P/A:P
Related Vulnerabilities
- Apache Tomcat DOS Device Name XSS
- AeroMail Cross Site Request Forgery, HTML Injection and Cross Site Scripting Vulnerabilities
- Apache Tomcat source.jsp malformed request information disclosure
- A Really Simple Chat Multiple XSS Vulnerabilities
- Adobe Presenter viewer.swf and loadflash.js XSS Vulnerability