The map_yp_alias function in functions/imap_general.php in SquirrelMail before 1.4.19-1 on Debian GNU/Linux, and possibly other operating systems and versions, allows remote attackers to execute arbitrary commands via shell metacharacters in a username string that is used by the ypmatch program. NOTE: this issue exists because of an incomplete fix for CVE-2009-1579.
| Name | Vendor | Start Version | End Version |
|---|---|---|---|
| Imap_general.php | Squirrelmail | 1.2.2 (including) | 1.2.2 (including) |
| Squirrelmail | Squirrelmail | 1.2.5 (including) | 1.2.5 (including) |
| Squirrelmail | Squirrelmail | 1.2.6 (including) | 1.2.6 (including) |
| Squirrelmail | Squirrelmail | 1.2.6-rc1 (including) | 1.2.6-rc1 (including) |
| Squirrelmail | Squirrelmail | 1.2.7 (including) | 1.2.7 (including) |
| Squirrelmail | Squirrelmail | 1.2.8 (including) | 1.2.8 (including) |
| Squirrelmail | Squirrelmail | 1.2.9 (including) | 1.2.9 (including) |
| Squirrelmail | Squirrelmail | 1.2.10 (including) | 1.2.10 (including) |
| Squirrelmail | Squirrelmail | 1.2.11 (including) | 1.2.11 (including) |
| Squirrelmail | Squirrelmail | 1.4.0 (including) | 1.4.0 (including) |
| Squirrelmail | Squirrelmail | 1.4.0-r1 (including) | 1.4.0-r1 (including) |
| Squirrelmail | Squirrelmail | 1.4.1 (including) | 1.4.1 (including) |
| Squirrelmail | Squirrelmail | 1.4.2 (including) | 1.4.2 (including) |
| Squirrelmail | Squirrelmail | 1.4.2-r1 (including) | 1.4.2-r1 (including) |
| Squirrelmail | Squirrelmail | 1.4.2-r2 (including) | 1.4.2-r2 (including) |
| Squirrelmail | Squirrelmail | 1.4.2-r3 (including) | 1.4.2-r3 (including) |
| Squirrelmail | Squirrelmail | 1.4.2-r4 (including) | 1.4.2-r4 (including) |
| Squirrelmail | Squirrelmail | 1.4.2-r5 (including) | 1.4.2-r5 (including) |
| Squirrelmail | Squirrelmail | 1.4.3_rc1 (including) | 1.4.3_rc1 (including) |
| Squirrelmail | Squirrelmail | 1.4.3_rc1-r1 (including) | 1.4.3_rc1-r1 (including) |
| Squirrelmail1.4.19-1 | Squirrelmail | * | * |