search menu icon-carat-right cmu-wordmark

CERT Coordination Center

SquirrelMail vulnerable to command injection because of flawed input checking in S/MIME plug-in

Vulnerability Note VU#502328

Original Release Date: 2005-02-09 | Last Revised: 2005-02-10

Overview

SquirrelMail contains a flaw in its S/MIME plug-in certificate handling routines which may allow arbitrary code to be remotely executed.

Description

From the SquirrelMail web page:

SquirrelMail is a standards-based webmail package written in PHP4. It includes built-in pure PHP support for the IMAP and SMTP protocols, and all pages render in pure HTML 4.0 (with no JavaScript required) for maximum compatibility across browsers. It has very few requirements and is very easy to configure and install. SquirrelMail has all the functionality you would want from an email client, including strong MIME support, address books, and folder manipulation.

SquirrelMail's input handling contains a flaw that may allow remote attackers to execute arbitrary code with elevated privileges. The S/MIME plug-in fails to check the $cert variable, which contains user-supplied data, before using the variable in a call to exec().

Impact

A remote attacker may be able to supply arbitrary code to be executed in the call to exec() with the privileges of the web server.

Solution

Apply an update
SquirrelMail has released an updated version of the S/MIME plug-in that is not affected by this flaw. Version 0.6 (or later) does not contain this flaw and can be obtained from the SquirrelMail S/MIME plug-in page.

Vendor Information

502328
 
Affected   Unknown   Unaffected

SquirrelMail Project Team

Notified:  February 08, 2005 Updated:  February 09, 2005

Status

  Vulnerable

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

An update can be obtained on the SquirrelMail S/MIME plug-in page.

If you have feedback, comments, or additional information about this vulnerability, please send us email.


CVSS Metrics

Group Score Vector
Base N/A N/A
Temporal N/A N/A
Environmental N/A

References

Acknowledgements

Thanks to iDefense for reporting this vulnerability, who in turn credit Karol Wiesek with the discovery of the flaw

This document was written by Ken MacInnis based primarily on information from iDefense Inc.

Other Information

CVE IDs: CVE-2005-0239
Severity Metric: 4.91
Date Public: 2005-02-07
Date First Published: 2005-02-09
Date Last Updated: 2005-02-10 22:10 UTC
Document Revision: 14

Sponsored by the Department of Homeland Security Office of Cybersecurity and Communications.