SquirrelMail map_yp_alias Username Mapping Alias Arbitrary Code Execution

high Nessus Plugin ID 38794

Synopsis

The remote webmail application allows execution of arbitrary code.

Description

The installed version of SquirrelMail fails to properly sanitize input to the '$username' variable in the 'map_yp_alias' function in 'functions/imap_general.php'. An unauthenticated, remote attacker can exploit this to execute arbitrary code subject to the privileges of the affected web-server.

Note that there are also reported to be several cross-site scripting vulnerabilities as well as a session fixation vulnerability, though Nessus has not tested for these.

Solution

Upgrade to SquirrelMail 1.4.19 or later.

See Also

http://www.squirrelmail.org/security/issue/2009-05-10

Plugin Details

Severity: High

ID: 38794

File Name: squirrelmail_map_yp_alias_code_exec.nasl

Version: 1.16

Type: remote

Family: CGI abuses

Published: 5/15/2009

Updated: 4/11/2022

Configuration: Enable thorough checks

Supported Sensors: Nessus

Risk Information

VPR

Risk Factor: High

Score: 7.4

CVSS v2

Risk Factor: Medium

Base Score: 6.8

Temporal Score: 5.6

Vector: CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P

CVSS v3

Risk Factor: High

Base Score: 8.8

Temporal Score: 8.2

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Temporal Vector: CVSS:3.0/E:F/RL:O/RC:C

Vulnerability Information

CPE: cpe:/a:squirrelmail:squirrelmail

Required KB Items: www/squirrelmail

Excluded KB Items: Settings/disable_cgi_scanning

Exploit Ease: No exploit is required

Exploited by Nessus: true

Exploitable With

Core Impact

Reference Information

CVE: CVE-2009-1579

BID: 34916

CWE: 94