Date: Tue, 25 Apr 2017 16:56:56 -0400 From: Stuart Gathman <stuart@...hman.org> To: oss-security@...ts.openwall.com Subject: Re: SquirrelMail <= 1.4.23 Remote Code Execution (CVE-2017-7692) On 04/24/2017 05:14 PM, Dawid Golunski wrote: > SquirrelMail <= 1.4.23 Remote Code Execution (CVE-2017-7692) > > Desc.: > SquirrelMail is affected by a critical Remote Code Execution vulnerability > which stems from insufficient escaping of user-supplied data when > SquirrelMail has been configured with Sendmail as the main transport. > An authenticated attacker may be able to exploit the vulnerability > to execute arbitrary commands on the target and compromise the remote > system. We deploy squirrelmail NOT using sendmail for sending mail ($useSendmail = false). There is no reason not to use SMTP instead of running sendmail directly. It doesn't seem to be vulnerable that way - and I suggest that as a mitigation. Just to be sure, after reading this advisory I added $sendmail_path = '/usr/sbin/false'; (We always avoid direct command execution with PHP because PHP is prone to quoting bugs.) OT: is there already a utility that *safely* logs arguments and stdin (as was apparently used to explain the exploit)? I could write a C prog, or a carefully quoted bash script - but would rather use an already proven utility.
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ