Lumension® Endpoint Intelligence Center

Intelligence Center » Browse All Vulnerabilities » CVE-2009-1381

Overview

Vulnerability Score 6.8 6.8
CVE Id CVE-2009-1381
Last Modified 09 Jun 2009 01:34:05
Published 22 May 2009 04:30:00
Confidentiality Impact PARTIAL PARTIAL
Integrity Impact PARTIAL PARTIAL
Availability Impact PARTIAL PARTIAL
Access Vector NETWORK
Access Complexity MEDIUM
Authentication NONE

CVE-2009-1381

Summary

The map_yp_alias function in functions/imap_general.php in SquirrelMail before 1.4.19-1 on Debian GNU/Linux, and possibly other operating systems and versions, allows remote attackers to execute arbitrary commands via shell metacharacters in a username string that is used by the ypmatch program. NOTE: this issue exists because of an incomplete fix for CVE-2009-1579.

Vulnerable Systems

Application

  • Squirrelmail 1.2.10

  • Squirrelmail 1.2.11

  • Squirrelmail 1.2.5

  • Squirrelmail 1.2.6

  • Squirrelmail 1.2.6-rc1

  • Squirrelmail 1.2.7

  • Squirrelmail 1.2.8

  • Squirrelmail 1.2.9

  • Squirrelmail 1.4.0

  • Squirrelmail 1.4.0-r1

  • Squirrelmail 1.4.1

  • Squirrelmail Imap General.php 1.2.2


References

BUGTRAQ - 20090521 [SECURITY] [DSA 1802-2] New squirrelmail packages correct incomplete fix

FEDORA - FEDORA-2009-5350

FEDORA - FEDORA-2009-5471

MANDRIVA - MDVSA-2009:122

DEBIAN - DSA-1802

SECUNIA - 35140

MISC - http://release.debian.org/proposed-updates/stable_diffs/squirrelmail_1.4.15-4+lenny2.debdiff


Last Updated: 27 May 2016 10:50:33