2017-06-16 19:22
CVE-2017-7692 squirrelmail
2017-05-22 20:03
2017-05-10 23:50
2017-05-03 21:03
2017-04-27 01:04
2017-04-21 03:04


SquirrelMail 1.4.22 (and other versions before 20170427_0200-SVN) allows post-authentication remote code execution via a file that is mishandled in a popen call. It's possible to exploit this vulnerability to execute arbitrary shell commands on the remote server. The problem is in the Deliver_SendMail.class.php with the initStream function that uses escapeshellcmd() to sanitize the sendmail command before executing it. The use of escapeshellcmd() is not correct in this case since it doesn't escape whitespaces, allowing the injection of arbitrary command parameters. The problem is in -f$envelopefrom within the sendmail command line. Hence, if the target server uses sendmail and SquirrelMail is configured to use it as a command-line program, it's possible to trick sendmail into using an attacker-provided configuration file that triggers the execution of an arbitrary command. For exploitation, the attacker must upload a file as an email attachment, and inject the filename with the -C option within the "Options > Personal Informations > Email Address" setting.

Am I vulnerable?

The constraints below list the versions that this vulnerability is patched in, and versions that are unaffected. If a patch is ready but unrealeased, then it is pending.

Or, you can just let us figure it out for you! Appcanary continously monitor your installed packages, and tell you if any of them are vulnerable.

Sign up for monitoring

Affected package information

Release Package Patched in
trusty squirrelmail 2:1.4.23~svn20120406-2+deb8u1build0.14.04.1
xenial squirrelmail 2:1.4.23~svn20120406-2+deb8u1ubuntu0.16.04.1
yakkety squirrelmail 2:1.4.23~svn20120406-2+deb8u1ubuntu0.16.10.1


Release Package Reason
precise squirrelmail ignored
precise/esm squirrelmail DNE
vivid/stable-phone-overlay squirrelmail DNE
vivid/ubuntu-core squirrelmail DNE
zesty squirrelmail DNE
devel squirrelmail DNE

Needs Triage

Release Package Reason
upstream squirrelmail needs-triage