CVE-2009-1381: OS Command Injection
First published: Thu May 21 2009(Updated: )
It was discovered that original upstream patch for server-side command execution flaw affecting setups with map_yp_alias username map enabled did not address the issue completely, due to incorrect use of quoting (backticks vs. single quotes). Code execution was still possible in upstream version 1.4.18. Issue was fixed upstream in 1.4.19. Updated upstream security advisory: <a href="http://www.squirrelmail.org/security/issue/2009-05-10">http://www.squirrelmail.org/security/issue/2009-05-10</a> Full upstream patch: <a href="http://squirrelmail.svn.sourceforge.net/viewvc/squirrelmail/branches/SM-1_4-STABLE/squirrelmail/functions/imap_general.php?r1=13549&r2=13733">http://squirrelmail.svn.sourceforge.net/viewvc/squirrelmail/branches/SM-1_4-STABLE/squirrelmail/functions/imap_general.php?r1=13549&r2=13733</a>
Credit: secalert@redhat.com secalert@redhat.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Squirrelmail Squirrelmail | =1.4.2 | |
| Squirrelmail Squirrelmail | =1.4.0-r1 | |
| Squirrelmail Squirrelmail | =1.2.7 | |
| Squirrelmail Squirrelmail | =1.2.6-rc1 | |
| Squirrelmail Squirrelmail | =1.2.9 | |
| Squirrelmail Squirrelmail | =1.4.3_rc1 | |
| Squirrelmail Squirrelmail | =1.4.2-r3 | |
| Squirrelmail Squirrelmail | =1.4.2-r5 | |
| Squirrelmail Squirrelmail | =1.4.1 | |
| Squirrelmail Squirrelmail | =1.4.0 | |
| Squirrelmail Squirrelmail1.4.19-1 | ||
| Squirrelmail Squirrelmail | =1.4.2-r1 | |
| Squirrelmail Squirrelmail | =1.2.6 | |
| Squirrelmail Squirrelmail | =1.4.2-r2 | |
| Squirrelmail Imap General.php | =1.2.2 | |
| Squirrelmail Squirrelmail | =1.4.2-r4 | |
| Squirrelmail Squirrelmail | =1.2.10 | |
| Squirrelmail Squirrelmail | =1.2.5 | |
| Squirrelmail Squirrelmail | =1.2.8 | |
| Squirrelmail Squirrelmail | =1.2.11 | |
| Squirrelmail Squirrelmail | =1.4.3_rc1-r1 | |
| Squirrelmail Squirrelmail | =1.4.2 | |
| Squirrelmail Squirrelmail | =1.4.2-r1 | |
| Squirrelmail Squirrelmail | =1.4.2-r2 | |
| Squirrelmail Squirrelmail | =1.4.2-r3 | |
| Squirrelmail Squirrelmail | =1.4.2-r4 | |
| Squirrelmail Squirrelmail | =1.4.2-r5 | |
| Squirrelmail Squirrelmail | =1.4.3_rc1 | |
| Squirrelmail Squirrelmail | =1.4.3_rc1-r1 | |
| Squirrelmail Squirrelmail1.4.19-1 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- http://release.debian.org/proposed-updates/stable_diffs/squirrelmail_1.4.15-4+lenny2.debdiff
- http://secunia.com/advisories/35140
- http://www.debian.org/security/2009/dsa-1802
- http://www.mandriva.com/security/advisories?name=MDVSA-2009:122
- http://www.securityfocus.com/archive/1/503718/100/0/threaded
- https://www.redhat.com/archives/fedora-package-announce/2009-May/msg01195.html
- https://www.redhat.com/archives/fedora-package-announce/2009-May/msg01202.html
- http://www.squirrelmail.org/security/issue/2009-05-10
- http://squirrelmail.svn.sourceforge.net/viewvc/squirrelmail/branches/SM-1_4-STABLE/squirrelmail/functions/imap_general.php?r1=13549&r2=13733
- https://access.redhat.com/security/cve/CVE-2009-1579
- http://admin.fedoraproject.org/updates/squirrelmail-1.4.19-1.fc11
- http://admin.fedoraproject.org/updates/squirrelmail-1.4.19-1.fc10
- http://admin.fedoraproject.org/updates/squirrelmail-1.4.19-1.fc9
- http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1381
- http://www.securityfocus.com/archive/1/archive/1/503718/100/0/threaded
- https://admin.fedoraproject.org/updates/F10/FEDORA-2009-5350
- https://admin.fedoraproject.org/updates/F9/FEDORA-2009-5471
- http://admin.fedoraproject.org/updates/squirrelmail-1.4.19-2.fc11
- https://bugzilla.redhat.com/show_bug.cgi?id=502137
- https://www.cve.org/CVERecord?id=CVE-2009-1381 https://nvd.nist.gov/vuln/detail/CVE-2009-1381
- https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2009-1381.json
- collector/nvd-historical
- collector/nvd-index
- collector/nvd-api
- agent/author
- agent/first-publish-date
- agent/softwarecombine
- agent/last-modified-date
- collector/redhat-cve
- source/Red Hat
- collector/redhat-bugzilla
- alias/CVE-2009-1381
- agent/type
- agent/severity
- agent/references
- agent/weakness
- agent/tags
- agent/description
- agent/event
- collector/mitre-cve
- source/MITRE
- vendor/squirrelmail
- canonical/squirrelmail squirrelmail
- version/squirrelmail squirrelmail/1.4.2
- version/squirrelmail squirrelmail/1.4.0-r1
- version/squirrelmail squirrelmail/1.2.7
- version/squirrelmail squirrelmail/1.2.6-rc1
- version/squirrelmail squirrelmail/1.2.9
- version/squirrelmail squirrelmail/1.4.3_rc1
- version/squirrelmail squirrelmail/1.4.2-r3
- version/squirrelmail squirrelmail/1.4.2-r5
- version/squirrelmail squirrelmail/1.4.1
- version/squirrelmail squirrelmail/1.4.0
- canonical/squirrelmail squirrelmail1.4.19-1
- version/squirrelmail squirrelmail/1.4.2-r1
- version/squirrelmail squirrelmail/1.2.6
- version/squirrelmail squirrelmail/1.4.2-r2
- canonical/squirrelmail imap general.php
- version/squirrelmail imap general.php/1.2.2
- version/squirrelmail squirrelmail/1.4.2-r4
- version/squirrelmail squirrelmail/1.2.10
- version/squirrelmail squirrelmail/1.2.5
- version/squirrelmail squirrelmail/1.2.8
- version/squirrelmail squirrelmail/1.2.11
- version/squirrelmail squirrelmail/1.4.3_rc1-r1