squirrelmail

• Author: Miklos Vajna
• Vulnerable: 1.4.17-2anacreon1
• Unaffected: 1.4.17-3anacreon1

The map_yp_alias function in functions/imap_general.php in SquirrelMail before 1.4.18 allows remote attackers to execute arbitrary commands via shell metacharacters in a username string that is used by the ypmatch program.

• Bug Tracker URL: http://bugs.frugalware.org/task/3779

CVEs:

• http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1579
• http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1381