SquirrelMail G/PGP Encryption Plugin <= 2.1 Remote Command Execution

high Nessus Network Monitor Plugin ID 4133

Synopsis

The remote host is vulnerable to an arbitrary 'command insertion' flaw.

Description

The remote host is running the SquirrelMail web-based email software with GPG Encryption enabled. This version of the GPG Plugin is vulnerable to a flaw in the way that it parses user-supplied data. An attacker exploiting this flaw would be able to execute shell commands on the remote server with the permissions of the SquirrelMail server process.

Solution

Upgrade to a version of GPG Plugin higher than 2.1.

See Also

http://www.squirrelmail.org/plugin_view.php?id=153

Plugin Details

Severity: High

ID: 4133

Family: CGI

Published: 7/12/2007

Updated: 3/6/2019

Risk Information

VPR

Risk Factor: Medium

Score: 6.7

CVSS v2

Risk Factor: High

Base Score: 7.5

Temporal Score: 6.8

Vector: CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P

CVSS v3

Risk Factor: High

Base Score: 7.3

Temporal Score: 6.9

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

Temporal Vector: CVSS:3.0/E:F/RL:W/RC:X

Vulnerability Information

CPE: cpe:/a:squirrelmail:gpg_plugin

Reference Information

CVE: CVE-2005-1924, CVE-2006-4169, CVE-2007-3778

BID: 26788, 24874