Security News > 2017 > April > SquirrelMail opens users to remote code execution (Help Net Security)

SquirrelMail opens users to remote code execution (Help Net Security)
2017-04-25 16:32

Users of open source webmail software SquirrelMail are open to remote code execution due to a bug (CVE-2017-7692) discovered independently by two researchers. “If the target server uses Sendmail and SquirrelMail is configured to use it as a command-line program, it’s possible to trick sendmail into using an attacker-provided configuration file that triggers the execution of an arbitrary command,” the explanation provided by MITRE reads. “For exploitation, the attacker must upload a sendmail.cf file as … More →


News URL

http://feedproxy.google.com/~r/HelpNetSecurity/~3/N8Thqudg_ok/

Related Vulnerability

DATE CVE VULNERABILITY TITLE RISK
2017-04-20 CVE-2017-7692 Improper Input Validation vulnerability in Squirrelmail 1.4.22
SquirrelMail 1.4.22 (and other versions before 20170427_0200-SVN) allows post-authentication remote code execution via a sendmail.cf file that is mishandled in a popen call.
network
low complexity
squirrelmail CWE-20
8.8
8.8

Related vendor

VENDOR LAST 12M #/PRODUCTS LOW MEDIUM HIGH CRITICAL TOTAL VULNS
Squirrelmail 2 0 8 4 1 13