SquirrelMail leak allows attacker to execute code remotely

Two security researchers warn of a critical vulnerability in the latest version of the email client SquirrelMail. This allows a logged in user to remotely execute arbitrary code and thus take over the server.

The researchers, Filippo Cavallarin and Dawid Golunski, have independently discovered the same vulnerability in the software. Golunski reports that he published his findings in the absence of a patch, as the other researcher proceeded to publish. There is no patch yet, because the owner of SquirrelMail has not got around to it due to ‘personal circumstances’, according to Golunski. Cavallarin also reports that there is no patch yet, but itself offers an unofficial patch that should be handled with caution.

In the warnings, the researchers report that the most recent version of SquirrelMail, version 1.4.22, is vulnerable and that the vulnerability, CVE-2017-7692, may also exist in earlier versions of the software. Golunksi is adamant that earlier versions are also vulnerable. The vulnerability requires that Sendmail be set up as a mail transfer agent and that use as a command line is enabled. That way, a logged-in attacker could have Sendmail use its own configuration file to run code.

In the absence of a patch, SquirrelMail users can choose to use an alternative to Sendmail, Golunski said. The vulnerability is said to resemble the PHPMailer vulnerability, which was patched late last year. SquirrelMail is an open source webmail client written in PHP.