CVE-2005-1924

Name of the Vulnerable Software and Affected Versions G/PGP Plugin versions 2.1 and earlier for Squirrelmail

Description The issue allows remote authenticated users to execute arbitrary commands via shell metacharacters in the fpr parameter to the deleteKey function in gpg keyring.php and the keyserver parameter to the gpg recv key function in gpg key functions.php. This can be exploited through various PHP files, including import key file.php, import key text.php, keyring main.php, and gpg options.php.

Recommendations For G/PGP Plugin versions 2.1 and earlier, consider disabling the deleteKey function and restricting access to the gpg recv key function until a patch is available. Avoid using the fpr and keyserver parameters in the affected API endpoints until the issue is resolved.