![]() ![]() 'data/' (NOT recommended: you need to secure apache to make sure these files are not world string $data_dirĭefinition at line 499 of file config_default.php. Relative (to main SM directory): $data_dir = SM_PATH. It merely passes information to your IMAP server and formats it so it looks better to the people logged in. Here are two examples:Ībsolute: $data_dir = '/var/local/squirrelmail/data/' SquirrelMail 1.4.22 Remote Code Execution Posted Authored by Dawid Golunski SquirrelMail versions 1.4.22 and below suffer from a remote code execution vulnerability. SquirrelMail (without plugins) is just an IMAP client - nothing more. hMailServer installation instructions are at. If it is relative, it must use the SM_PATH constant. SquirrelMail installation instructions are inside SquirrelMail package or in SquirrelMail wiki. Please note that this changes only some of server. The path name can be absolute or relative (to the config directory). Valid type are the following (case is important): courier cyrus exchange uw macosx hmailserver other. It is possible to put the data directory anywhere you would like it is strongly advised that it is NOT directly web-accessible. ![]() It is a possible security hole to have a writable directory under the web server's root directory (ex: /home/httpd/html). Variable Documentation ◆ $abook_file_line_length $default_use_javascript_addr_book = false Get directions, find nearby businesses and places, and much more. $theme = 'Spice of Life - Dark (Changes)' Discover places to visit and explore on Bing Maps, like Hacker Valley, West Virginia. What I need is a Webmail program, and as much as I found out is that SquirrelMail is the choice. SquirrelMail < 1.4. $theme = 'Spice of Life - Lite (Changes)' I installed hmailserver (using the default mySQL installation, because when I tried to use MSSQL I always got an error message, that the program is not able to determine the MSSQL version - i.e. $attachment_dir = '/var/local/squirrelmail/attach/' Pros Although, SquirrelMail is no longer supported, it offers many merits. ![]() For exploitation, the attacker must upload a sendmail.cf file as an email attachment, and inject the sendmail.cf filename with the -C option within the "Options > Personal Informations > Email Address" setting.$org_logo = SM_PATH. server on amazon route 53 as well as MTA(hmail server) and MUA(squirrelmail). Hence, if the target server uses sendmail and SquirrelMail is configured to use it as a command-line program, it's possible to trick sendmail into using an attacker-provided configuration file that triggers the execution of an arbitrary command. A part time bug bounty hunter who loves to create automation in pentesting. The problem is in the DeliverSendMail.class. Its possible to exploit this vulnerability to execute arbitrary shell commands on the remote server. ![]() You can filter results by cvss scores, years and months. The problem is in -f$envelopefrom within the sendmail command line. Security vulnerabilities of Squirrelmail Squirrelmail version 1.4.22 List of cve security vulnerabilities related to this exact version. The use of escapeshellcmd() is not correct in this case since it doesn't escape whitespaces, allowing the injection of arbitrary command parameters. The SquirrelMail Team is pleased to announce the release of SquirrelMail version 1.4.22. The problem is in the Deliver_ with the initStream function that uses escapeshellcmd() to sanitize the sendmail command before executing it. It's possible to exploit this vulnerability to execute arbitrary shell commands on the remote server. of Exploits Vulnerability Type(s) Publish Date Update Date Score Gained Access Level Access Complexity Authentication Conf. Cvss scores, vulnerability details and links to full CVE details and references. SquirrelMail 1.4.22 (and other versions before 20170427_0200-SVN) allows post-authentication remote code execution via a sendmail.cf file that is mishandled in a popen call. Security vulnerabilities related to Hmailserver : List of vulnerabilities related to any product of this vendor. ![]()
0 Comments
Leave a Reply. |