back to article Alert: If you're running SquirrelMail, Sendmail... why? And oh yeah, remote code vuln found

Security researchers have uncovered a critical security hole in SquirrelMail, the open-source webmail project. Filippo Cavallarin and Dawid Golunski independently discovered a remote code execution hole in SquirrelMail version 1.4.22 and likely prior. That's the latest version, by the way, and is dated July 2011. The bug is a …

  1. DougS Silver badge

    Article title is misleading

    Makes it sound like there is a remote exploit in sendmail, when the problem is 100% confined to SquirrelMail.

    1. Nate Amsden

      Re: Article title is misleading

      I agree should say something like "Do you use squirrelmail with sendmail.."

      on that note, as a squirrelmail user for 17 years now(even though I use roundcube today I still have SM installed for some family members who use it, last used SM in an office environment probably 2002), even back in the days when I did use sendmail I have always had squirrelmail just use smtp to localhost to send email. Not sure what the advantage ever might of been to using a local binary instead of smtp. I certainly never got any complaints.

    2. Anonymous Coward
      Anonymous Coward

      @Doug

      And by the tone of the whole article I also wonder if they really meant Sendmail the MTA or the sendmail executable.

    3. bombastic bob Silver badge
      Coffee/keyboard

      Re: Article title is misleading

      I don't mind, it got me to read it, and knowing that squirrel mail has a vuln is fine. But yeah, heart palpitations just before that point...

  2. Anonymous Coward
    Anonymous Coward

    Specsavers

    Pretty sure Specsavers use this in some way.

    One of my customers was having trouble emailing them, so I had the Specsavers person email me so I could confirm their address was correct, and to see if I could mail them okay.

    Remember seeing SquirrelMail in the headers! :-D

  3. Number6

    SquirrelMail version 1.4.22 and likely prior. That's the latest version, by the way, and is dated July 2011.

    Interestingly enough, my Squirrelmail claims to be version 1.4.23 [SVN] so I guess while it's a snapshot of a stable version, it's not actually a stable version.

  4. Anonymous Coward
    Anonymous Coward

    Looks like it's fixed since the article published

    https://sourceforge.net/p/squirrelmail/code/14651/

    - Fixed insufficient sendmail command argument escaping (thanks

    to Mitchel Sahertian, Maor Shwartz, Dawid Golunski and Filippo

    Cavallarin for bringing this to our attention). [CVE-2017-7692]

    1. Florida1920
      Pint

      Re: Looks like it's fixed since the article published

      When you see El Vulture circling, you'd better look alive!

  5. P. Lee Silver badge

    Do I understand this correctly?

    Only an authenticated user can run this attack?

  6. akfek

    illness

    The squirrelmail guy has been ill.

  7. jamesb2147

    Why?

    Because not everyone wants to have cloud email from a provider beholden to foreign governments.

    Your servers, your data.

    1. Anonymous Coward
      Anonymous Coward

      Re: Why?

      ... therefore your choice of software. So why still using squirrelmail?

      1. PyLETS

        Re: Why?

        Squirrelmail has been around for years, and trouble free in my case, and this vulnerability doesn't affect me as I use SMTP/IMAP as the front/back ends for it. As with others, I try to keep personal and family communications away from corporate data mining and branding. I've heard of Roundcube, but as I've been successful with Squirrelmail/Postfix/Mailman and others, which have been relatively straightforward to setup , configure and maintain compared to Sendmail which I used in the past. So I've had no reason to try Roundcube as Squirrelmail just works. Can you provide one ? It's Dovecote and trying to get proper email clients working sensibly on all sorts of tablet/phone platforms that have me tearing my hair out, so maintaining webmail for this kind of application (other than on proper desktops which have proper email clients) makes more sense as I only need to do it once for many client platforms.

      2. Trevor_Pott Gold badge

        Re: Why?

        Why not use Squirrelmail + Sendmail? They've served me well for over ten years, I don't see any benefit in changing...

  8. John Smith 19 Gold badge
    Unhappy

    "The bug is a classic failure to sanitize user input,"

    You'd really think there was a library that took care of that sort of stuff for you by now, wouldn't you?

    1. Mike 16 Silver badge

      Re: "The bug is a classic failure to sanitize user input,"

      There are probably several such libraries. Where do you think these bugs live?

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2019