


Golunski said he did manage to make contact and that a CVE (CVE-2017-5181) was assigned to the vulnerability but that the developers behind the package, citing personal issues, requested some time to patch.
#SQUIRRELMAIL EXPLOIT FULL#
Golunski was prompted to release his advisory last week after Filippo Cavallarin, the CEO of Segment, an Italian security firm, disclosed the same issue, via the Full Disclosure mailing list archives.Ĭavallarin said he elected to disclose the vulnerability after he failed to make contact with the project’s maintainers. The proof of concept contains payloads for two vectors, file write, and remote code execution, It requires user credentials and that SquirrelMail uses Sendmail. Golunski documented the vulnerability in a video published earlier this week: In a proof of concept built by Golunski, he shows how an attacker could inject specific parameters to a malicious Sendmail config file, which can then be uploaded as an attachment to carry out arbitrary command execution. The researcher said that when it uses Sendmail, SquirrelMail failed to take into account a character that can be used by attackers to inject additional parameters. Sendmail, perhaps the most popular mail transfer agent, often comes configured as default on email environments.

The researcher, who disclosed the vulnerability in a write-up on his site last Friday, said it stemmed from insufficient escaping of user-supplied data when the package is configured with Sendmail as its main transport. In a description of the bug on the package’s site, SquirrelMail confirmed that some builds were vulnerable to a “command-line argument injection exploit that could allow arbitrary code execution if $edit_identity and $useSendmail are enabled and user has knowledge of the location and permissions on the SquirrelMail attachment directory.”
#SQUIRRELMAIL EXPLOIT PATCH#
Golunski told Threatpost on Thursday that squirrelmail-20170427_0200-SVN.stable includes a patch for the vulnerability. The researcher has previously uncovered similar remote code execution issues in the email libraries PHPMailer and SwiftMailer.ĭevelopers behind the webmail package had been informed of the vulnerability but it wasn’t clear if it was going to get fixed until a patch arrived yesterday. Developers behind the PHP-based webmail package SquirrelMail patched a remote code execution vulnerability that could let attackers execute arbitrary commands on the target and compromise the system on Thursday.ĭawid Golunski, a researcher with Legal Hackers discovered the vulnerability and reported it to the project’s maintainers in January.
