CVE-2017-7692

Name of the Vulnerable Software and Affected Versions SquirrelMail versions prior to 20170427 0200-SVN

Description The issue allows post-authentication remote code execution via a mishandled sendmail.cf file in a popen call. This can be exploited to execute arbitrary shell commands on the remote server. The problem lies in the Deliver SendMail.class.php file, specifically in the initStream function, which incorrectly uses escapeshellcmd() to sanitize the sendmail command. The sendmail command line, particularly the -f$envelopefrom part, is vulnerable to injection of arbitrary command parameters due to the lack of whitespace escaping. If the target server uses sendmail and SquirrelMail is configured to use it, an attacker can trick sendmail into using a malicious sendmail.cf file, leading to arbitrary command execution. This can be achieved by uploading a sendmail.cf file as an email attachment and then injecting the filename with the -C option in the "Options > Personal Informations > Email Address" setting.

Recommendations For SquirrelMail versions prior to 20170427 0200-SVN, as a temporary workaround, consider disabling the use of sendmail as a command-line program in SquirrelMail configuration until a patch is available. Restrict access to the Deliver SendMail.class.php file to minimize the risk of exploitation. Avoid using the envelopefrom variable in the sendmail command line until the issue is resolved. Update to a version newer than 20170427 0200-SVN to fully resolve the issue.