SquirrelMail SquirrelSpell Remote Shell Command Execution Vulnerability

SquirrelMail SquirrelSpell Remote Shell Command Execution Vulnerability

SquirrelMail is a feature rich webmail program implemented in the PHP4 language. It is available for Linux and Unix based operating systems. SquirrelMail allows for extended functionality through a plugin system.

The SquirrelSpell plugin for SquirrelMail may, if called directly, pass user supplied input to a shell command. If the input contains shell metacharacters, arbitary commands may be executed. Exploitation of this vulnerability may lead to local access as the non-privileged user 'nobody'.

Earlier versions of SquirrelSpell may share this vulnerability.