REDHAT-BUG-502137
First published: Fri May 22 2009(Updated: )
It was discovered that original upstream patch for server-side command execution flaw affecting setups with map_yp_alias username map enabled did not address the issue completely, due to incorrect use of quoting (backticks vs. single quotes). Code execution was still possible in upstream version 1.4.18. Issue was fixed upstream in 1.4.19. Updated upstream security advisory: <a href="http://www.squirrelmail.org/security/issue/2009-05-10">http://www.squirrelmail.org/security/issue/2009-05-10</a> Full upstream patch: <a href="http://squirrelmail.svn.sourceforge.net/viewvc/squirrelmail/branches/SM-1_4-STABLE/squirrelmail/functions/imap_general.php?r1=13549&r2=13733">http://squirrelmail.svn.sourceforge.net/viewvc/squirrelmail/branches/SM-1_4-STABLE/squirrelmail/functions/imap_general.php?r1=13549&r2=13733</a>
| Affected Software | Affected Version | How to fix |
|---|---|---|
| SquirrelMail |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- http://www.squirrelmail.org/security/issue/2009-05-10
- http://squirrelmail.svn.sourceforge.net/viewvc/squirrelmail/branches/SM-1_4-STABLE/squirrelmail/functions/imap_general.php?r1=13549&r2=13733
- https://access.redhat.com/security/cve/CVE-2009-1579
- http://admin.fedoraproject.org/updates/squirrelmail-1.4.19-1.fc11
- http://admin.fedoraproject.org/updates/squirrelmail-1.4.19-1.fc10
- http://admin.fedoraproject.org/updates/squirrelmail-1.4.19-1.fc9
- http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1381
- http://www.securityfocus.com/archive/1/archive/1/503718/100/0/threaded
- http://release.debian.org/proposed-updates/stable_diffs/squirrelmail_1.4.15-4+lenny2.debdiff
- http://www.debian.org/security/2009/dsa-1802
- http://secunia.com/advisories/35140
- https://admin.fedoraproject.org/updates/F10/FEDORA-2009-5350
- https://admin.fedoraproject.org/updates/F9/FEDORA-2009-5471
- http://admin.fedoraproject.org/updates/squirrelmail-1.4.19-2.fc11
- https://bugzilla.redhat.com/show_bug.cgi?id=502137
Frequently Asked Questions
What is the severity of REDHAT-BUG-502137?
The vulnerability REDHAT-BUG-502137 is considered critical due to its potential for server-side command execution.
How do I fix REDHAT-BUG-502137?
To fix REDHAT-BUG-502137, update SquirrelMail to the latest version that addresses the quoting issues in the mapping of usernames.
What does REDHAT-BUG-502137 affect?
REDHAT-BUG-502137 affects SquirrelMail setups that have the map_yp_alias username map enabled.
What type of vulnerability is REDHAT-BUG-502137?
REDHAT-BUG-502137 is a server-side command execution vulnerability.
Is there a known exploit for REDHAT-BUG-502137?
Yes, there are known exploits for REDHAT-BUG-502137 due to the improper handling of quoting in the vulnerable code.
- agent/type
- agent/last-modified-date
- collector/redhat-bugzilla
- source/Red Hat
- alias/CVE-2009-1381
- agent/first-publish-date
- agent/source
- agent/severity
- agent/references
- agent/description
- agent/event
- agent/tags
- agent/softwarecombine
- agent/guess-ai
- agent/software-canonical-lookup
- agent/software-canonical-lookup-request
- vendor/squirrelmail
- canonical/squirrelmail