The parseAddress code in (1) SquirrelMail 1.4.0 and (2) GPG Plugin 1.1 allows remote malicious users to execute commands via shell metacharacters in the "To:" field.
##
# $Id: squirrelmail_pgp_pluginrb 10148 2010-08-25 20:31:46Z egypt $
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions Please see the Metasploit
# Framework web site for more information on licensing and terms of use
# metasploitcom/framework/
##
require 'msf/core ...