The PHP-based webmail package SquirrelMail suffers from a remote code execution vulnerability that could let attackers execute arbitrary commands on the target and compromise the system.
Dawid Golunski, a researcher with Legal Hackers discovered the vulnerability and reported it to the project’s maintainers in January. The researcher has previously uncovered similar remote code execution issues in the email libraries PHPMailer and SwiftMailer.
Developers behind the webmail package have reportedly been informed of the vulnerability but it’s unclear when or if it will be fixed.
Golunski, who disclosed the vulnerability in a write-up on his site Friday, said it stems from insufficient escaping of user-supplied data when the package is configured with Sendmail as its main transport.
Sendmail, perhaps the most popular mail transfer agent, often comes configured as default on email environments.
The researcher said that when it uses Sendmail, SquirrelMail fails to take into account a character that can be used by attackers to inject additional parameters. In a proof of concept built by Golunski, he shows how an attacker could inject specific parameters to a malicious Sendmail config file, which can then be uploaded as an attachment to carry out arbitrary command execution.
The proof of concept contains payloads for two vectors, file write, and remote code execution, It requires user credentials and that SquirrelMail uses Sendmail.
Golunski was prompted to release his advisory last week after Filippo Cavallarin, the CEO of Segment, an Italian security firm, disclosed the same issue, via the Full Disclosure mailing list archives.
Cavallarin said he elected to disclose the vulnerability after he failed to make contact with the project’s maintainers. Golunski said he did manage to make contact and that a CVE (CVE-2017-5181) was assigned to the vulnerability but that the developers behind the package, citing personal issues, requested some time to patch.
The most recent version, 1.4.22, and prior versions of the package are believed to be vulnerable. As it’s an open source project and version 1.4.22 was released nearly six years ago, in July 2011, it’s not entirely clear if a patch is coming.
While there isn’t a fix available Golunski is encouraging users of the package to switch to a non-Sendmail transport, like SMTP. Cavallarin links to an unofficial patch to fix the vulnerability in his disclosure.
According to Golunski, he’s notified the project that both he and Cavallarin’s disclosures have gone live, he has not received a response back yet however.