cancel
Showing results for 
Search instead for 
Did you mean: 

SquirrrelMail Vulnerability

wellanna
Dabbler
Posts: 14
Registered: 07-04-2014

SquirrrelMail Vulnerability

Hi,

I seem to recall that Plusnet Webmail is implemented with SquirrelMail.

Not sure which version you are running, but I think you need to look at this for the latest 1.4.22 release:

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7692

http://securityaffairs.co/wordpress/58336/hacking/squirrelmail-rce.html

https://youtu.be/ceoUkWDG7tc

Thanks, Neal.

 

 

 

 

6 REPLIES
Community Gaffer
Community Gaffer
Posts: 13,224
Thanks: 966
Fixes: 81
Registered: 04-04-2007

Re: SquirrrelMail Vulnerability

Already aware, thanks Neal.

Bob Pullen
Plusnet Product Team
If I've been helpful then please give thanks ⤵

southerner
Aspiring Pro
Posts: 512
Thanks: 45
Fixes: 1
Registered: 27-11-2013

Re: SquirrrelMail Vulnerability

I use SM 1.4.23 as a webmail solution elsewhere so this interests me.

 

I looks like SM haven't released an official patch but the person who found the vulnerability released an unofficial patch? Just curious what the solution might be beyond switching webmail solutions?

Community Gaffer
Community Gaffer
Posts: 13,224
Thanks: 966
Fixes: 81
Registered: 04-04-2007

Re: SquirrrelMail Vulnerability

It's specific to installations that are configured to use Sendmail, so configuring Squirrel to use SMTP instead would be one way to ensure that you're not vulnerable.

Bob Pullen
Plusnet Product Team
If I've been helpful then please give thanks ⤵

Superuser
Superuser
Posts: 2,758
Thanks: 467
Fixes: 5
Registered: 06-04-2007

Re: SquirrrelMail Vulnerability

I would take a guess that Plusnet would be using SMTP anyway with SquirrelMail, so from what @bobpullen has said, this vulnerability would affect them.

Community Gaffer
Community Gaffer
Posts: 13,224
Thanks: 966
Fixes: 81
Registered: 04-04-2007

Re: SquirrrelMail Vulnerability


pjmarsh wrote:

... so from what @bobpullen has said, this vulnerability would affect them.


I assume you meant to type wouldn'tWink


 

Bob Pullen
Plusnet Product Team
If I've been helpful then please give thanks ⤵

Superuser
Superuser
Posts: 2,758
Thanks: 467
Fixes: 5
Registered: 06-04-2007

Re: SquirrrelMail Vulnerability

Sorry, @bobpullen, yes, that's exactly what I meant!