SquirrelMail.PGP.Plug-in.Remote.Command.Execution
Description
A remote command injection vulnerability has been identified in the G/PGP Encryption Plugin for the SquirrelMail webmail package, which allows attackers to execute arbitrary commands.
The problem exists within the function "gpg_check_sign_pgp_mime()" defined in "gpg_hook_functions.php". The user supplied data isn't filtered before it's passed to a call to exec().
Affected Products
SquirrelMail G/PGP Encryption Plugin 2.0
Impact
Remote command execution.
Recommended Actions
The vendor has released SquirrelMail 2.1 to address this issue. Please upgrade to it.
SquirrelMail G/PGP Encryption Plugin version 2.1
http://www.squirrelmail.org/plugin_download.php?id=153&rev=1303
Telemetry
Coverage
IPS (Regular DB) | |
IPS (Extended DB) |