A remote command injection vulnerability has been identified in the G/PGP Encryption Plugin for the SquirrelMail webmail package, which allows attackers to execute arbitrary commands.
The problem exists within the function "gpg_check_sign_pgp_mime()" defined in "gpg_hook_functions.php". The user supplied data isn't filtered before it's passed to a call to exec().
SquirrelMail G/PGP Encryption Plugin 2.0
Remote command execution.
The vendor has released SquirrelMail 2.1 to address this issue. Please upgrade to it.
SquirrelMail G/PGP Encryption Plugin version 2.1