SquirrelMail G/PGP Encryption Plugin <= 2.1 Remote Command Execution

High Nessus Network Monitor Plugin ID 4133

Synopsis

The remote host is vulnerable to an arbitrary 'command insertion' flaw.

Description

The remote host is running the SquirrelMail web-based email software with GPG Encryption enabled. This version of the GPG Plugin is vulnerable to a flaw in the way that it parses user-supplied data. An attacker exploiting this flaw would be able to execute shell commands on the remote server with the permissions of the SquirrelMail server process.

Solution

Upgrade to a version of GPG Plugin higher than 2.1.

See Also

http://www.squirrelmail.org/plugin_view.php?id=153

Plugin Details

Severity: High

ID: 4133

File Name: 4133.prm

Family: CGI

Published: 2007/07/12

Modified: 2016/01/21

Dependencies: 1442

Risk Information

Risk Factor: High

CVSSv2

Base Score: 7.5

Temporal Score: 6.8

Vector: CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P

Temporal Vector: CVSS2#E:F/RL:W/RC:ND

CVSSv3

Base Score: 7.3

Temporal Score: 6.9

Vector: CVSS3#AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

Temporal Vector: CVSS3#E:F/RL:W/RC:X

Reference Information

CVE: CVE-2007-3778, CVE-2005-1924, CVE-2006-4169

BID: 26788, 24874