The parseAddress code in (1) SquirrelMail 1.4.0 and (2) GPG Plugin 1.1 allows remote attackers to execute commands via shell metacharacters in the To: field.
Affected Software
| Name | Vendor | Start Version | End Version |
|---|---|---|---|
| Gpg_plugin | Squirrelmail | 1.1 (including) | 1.1 (including) |
| Squirrelmail | Squirrelmail | 1.4.0 (including) | 1.4.0 (including) |
References
- http://marc.info/?l=bugtraq\u0026m=107247236124180\u0026w=2
- http://www.bugtraq.org/advisories/_BSSADV-0001.txt
- http://www.securityfocus.com/archive/1/348366
- http://www.securityfocus.com/bid/9296
- https://exchange.xforce.ibmcloud.com/vulnerabilities/14079
- http://marc.info/?l=bugtraq\u0026m=107247236124180\u0026w=2
- http://www.bugtraq.org/advisories/_BSSADV-0001.txt
- http://www.securityfocus.com/archive/1/348366
- http://www.securityfocus.com/bid/9296
- https://exchange.xforce.ibmcloud.com/vulnerabilities/14079