cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

SquirrrelMail Vulnerability

wellanna
Dabbler
Posts: 16
Thanks: 1
Registered: ‎07-04-2014

SquirrrelMail Vulnerability

‎25-04-2017 12:39 PM

Hi,

I seem to recall that Plusnet Webmail is implemented with SquirrelMail.

Not sure which version you are running, but I think you need to look at this for the latest 1.4.22 release:

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7692

http://securityaffairs.co/wordpress/58336/hacking/squirrelmail-rce.html

https://youtu.be/ceoUkWDG7tc

Thanks, Neal.

 

 

 

 

Message 1 of 7
(1,799 Views)
0 Thanks
6 REPLIES 6
bobpullen
Community Gaffer
Community Gaffer
Posts: 16,892
Thanks: 4,986
Fixes: 316
Registered: ‎04-04-2007

Re: SquirrrelMail Vulnerability

‎25-04-2017 4:13 PM

Already aware, thanks Neal.

Bob Pullen
Plusnet Product Team
If I've been helpful then please give thanks ⤵
Message 2 of 7
(1,761 Views)
southerner
Aspiring Pro
Posts: 633
Thanks: 65
Fixes: 1
Registered: ‎27-11-2013

Re: SquirrrelMail Vulnerability

‎26-04-2017 10:53 AM

I use SM 1.4.23 as a webmail solution elsewhere so this interests me.

 

I looks like SM haven't released an official patch but the person who found the vulnerability released an unofficial patch? Just curious what the solution might be beyond switching webmail solutions?

Message 3 of 7
(1,714 Views)
0 Thanks
bobpullen
Community Gaffer
Community Gaffer
Posts: 16,892
Thanks: 4,986
Fixes: 316
Registered: ‎04-04-2007

Re: SquirrrelMail Vulnerability

‎26-04-2017 11:06 AM - edited ‎26-04-2017 11:07 AM

It's specific to installations that are configured to use Sendmail, so configuring Squirrel to use SMTP instead would be one way to ensure that you're not vulnerable.

Bob Pullen
Plusnet Product Team
If I've been helpful then please give thanks ⤵
Message 4 of 7
(1,704 Views)
pjmarsh
Superuser
Superuser
Posts: 4,041
Thanks: 1,591
Fixes: 20
Registered: ‎06-04-2007

Re: SquirrrelMail Vulnerability

‎26-04-2017 12:48 PM

I would take a guess that Plusnet would be using SMTP anyway with SquirrelMail, so from what @bobpullen has said, this vulnerability would affect them.

Superusers are not staff, but they do have a direct line of communication into the business in order to raise issues, concerns and feedback from the community.

Message 5 of 7
(1,679 Views)
0 Thanks
bobpullen
Community Gaffer
Community Gaffer
Posts: 16,892
Thanks: 4,986
Fixes: 316
Registered: ‎04-04-2007

Re: SquirrrelMail Vulnerability

‎27-04-2017 3:24 PM

@pjmarsh wrote:

... so from what @bobpullen has said, this vulnerability would affect them.


I assume you meant to type wouldn'tWink

 

Bob Pullen
Plusnet Product Team
If I've been helpful then please give thanks ⤵
Message 6 of 7
(1,648 Views)
pjmarsh
Superuser
Superuser
Posts: 4,041
Thanks: 1,591
Fixes: 20
Registered: ‎06-04-2007

Re: SquirrrelMail Vulnerability

‎27-04-2017 3:34 PM

Sorry, @bobpullen, yes, that's exactly what I meant!

Superusers are not staff, but they do have a direct line of communication into the business in order to raise issues, concerns and feedback from the community.

Message 7 of 7
(1,640 Views)
0 Thanks