Intrusion Prevention

SquirrelMail.PGP.Plug-in.Remote.Command.Execution

Description

A remote command injection vulnerability has been identified in the G/PGP Encryption Plugin for the SquirrelMail webmail package, which allows attackers to execute arbitrary commands.
The problem exists within the function "gpg_check_sign_pgp_mime()" defined in "gpg_hook_functions.php". The user supplied data isn't filtered before it's passed to a call to exec().

Affected Products

SquirrelMail G/PGP Encryption Plugin 2.0

Impact

Remote command execution.

Recommended Actions

The vendor has released SquirrelMail 2.1 to address this issue. Please upgrade to it.
SquirrelMail G/PGP Encryption Plugin version 2.1
http://www.squirrelmail.org/plugin_download.php?id=153&rev=1303

CVE References

CVE-2007-3634