cancel
Showing results for 
Search instead for 
Did you mean: 

SquirrrelMail Vulnerability

wellanna
Dabbler
Posts: 16
Thanks: 1
Registered: ‎07-04-2014

SquirrrelMail Vulnerability

Hi,

I seem to recall that Plusnet Webmail is implemented with SquirrelMail.

Not sure which version you are running, but I think you need to look at this for the latest 1.4.22 release:

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7692

http://securityaffairs.co/wordpress/58336/hacking/squirrelmail-rce.html

https://youtu.be/ceoUkWDG7tc

Thanks, Neal.

 

 

 

 

6 REPLIES 6
bobpullen
Community Gaffer
Community Gaffer
Posts: 16,023
Thanks: 3,771
Fixes: 239
Registered: ‎04-04-2007

Re: SquirrrelMail Vulnerability

Already aware, thanks Neal.

Bob Pullen
Plusnet Product Team
If I've been helpful then please give thanks ⤵

southerner
Aspiring Pro
Posts: 606
Thanks: 61
Fixes: 1
Registered: ‎27-11-2013

Re: SquirrrelMail Vulnerability

I use SM 1.4.23 as a webmail solution elsewhere so this interests me.

 

I looks like SM haven't released an official patch but the person who found the vulnerability released an unofficial patch? Just curious what the solution might be beyond switching webmail solutions?

bobpullen
Community Gaffer
Community Gaffer
Posts: 16,023
Thanks: 3,771
Fixes: 239
Registered: ‎04-04-2007

Re: SquirrrelMail Vulnerability

It's specific to installations that are configured to use Sendmail, so configuring Squirrel to use SMTP instead would be one way to ensure that you're not vulnerable.

Bob Pullen
Plusnet Product Team
If I've been helpful then please give thanks ⤵

pjmarsh
Superuser
Superuser
Posts: 3,582
Thanks: 1,253
Fixes: 12
Registered: ‎06-04-2007

Re: SquirrrelMail Vulnerability

I would take a guess that Plusnet would be using SMTP anyway with SquirrelMail, so from what @bobpullen has said, this vulnerability would affect them.

Superusers are not staff, but they do have a direct line of communication into the business in order to raise issues, concerns and feedback from the community.

bobpullen
Community Gaffer
Community Gaffer
Posts: 16,023
Thanks: 3,771
Fixes: 239
Registered: ‎04-04-2007

Re: SquirrrelMail Vulnerability


@pjmarsh wrote:

... so from what @bobpullen has said, this vulnerability would affect them.


I assume you meant to type wouldn'tWink


 

Bob Pullen
Plusnet Product Team
If I've been helpful then please give thanks ⤵

pjmarsh
Superuser
Superuser
Posts: 3,582
Thanks: 1,253
Fixes: 12
Registered: ‎06-04-2007

Re: SquirrrelMail Vulnerability

Sorry, @bobpullen, yes, that's exactly what I meant!

Superusers are not staff, but they do have a direct line of communication into the business in order to raise issues, concerns and feedback from the community.