Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Tue, 25 Apr 2017 16:56:56 -0400
From: Stuart Gathman <stuart@...hman.org>
To: oss-security@...ts.openwall.com
Subject: Re: SquirrelMail <= 1.4.23 Remote Code Execution
 (CVE-2017-7692)

On 04/24/2017 05:14 PM, Dawid Golunski wrote:
> SquirrelMail <= 1.4.23 Remote Code Execution (CVE-2017-7692)
>
> Desc.:
> SquirrelMail is affected by a critical Remote Code Execution vulnerability
> which stems from insufficient escaping of user-supplied data when
> SquirrelMail has been configured with Sendmail as the main transport.
> An authenticated attacker may be able to exploit the vulnerability
> to execute arbitrary commands on the target and compromise the remote
> system.
We deploy squirrelmail NOT using sendmail for sending mail ($useSendmail
= false).  There is no reason not to use SMTP instead of running
sendmail directly.  It doesn't seem to be vulnerable that way - and I
suggest that as a mitigation.  Just to be sure, after reading this
advisory I added  $sendmail_path  = '/usr/sbin/false'; (We always avoid
direct command execution with PHP because PHP is prone to quoting bugs.) 

OT: is there already a utility that *safely* logs arguments and stdin
(as was apparently used to explain the exploit)?  I could write a C
prog, or a carefully quoted bash script - but would rather use an
already proven utility.

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ