Slashdot Mirror

← Back to Stories (view on slashdot.org)

SquirrelMail Repository Poisoned

Posted by kdawson on from the nuts-to-that dept.

SkiifGeek writes "Late last week the SquirrelMail team posted information on their site about a compromise to the main download repository for SquirrelMail that resulted in a critical flaw being introduced into two versions of the webmail application (1.4.11 and 1.4.12). After gaining access to the repository through a release maintainer's compromised account (it is believed), the attackers made a slight modification to the release packages, modifying how a PHP global variable was handled. This introduced a remote file inclusion bug — leading to an arbitrary code execution risk on systems running the vulnerable versions of the software. The poisoning was identified by a difference in MD5 signatures for version 1.4.12. Version 1.4.13 is now available."

3 of 182 comments (clear)

  1. Squirrelmail is awesome, I hope this doesn't hurt by mlwmohawk · · Score: 0, Offtopic

    I have been a squirrel mail user for some time, and I use it on my site as well as sites I set up. My current 9-5 job uses outlook, what a disaster!! Outlook Web Mail just sucks.

  2. We use SM & were just phished by Nimey · · Score: 0, Offtopic

    We're a midwestern university & use a slightly older version of Squirrelmail as our webmail interface. Just an hour ago some of our users got this phish:

    "Confirm Your Email Address!

      Dear <domain.edu> Subscriber,

      To complete and verify your <domain.edu> account, you must reply to this email immediately and enter your password here (*********)

      Failure to do this will immediately render your email address deactivated from our database.

      You can also confirm your email address by logging into your <domain.edu> account at <correct URL>

      Thank you for using DOMAIN. EDU!
      <UNIVERSITY NAME> UNIVERSITY WEBMAIL TEAM
    "

    Our version of Squirrelmail is too old to have been one of the compromised ones, and it might not be related, but the timing is mighty suspicious. The reply-to address on this is wi_hamilton (at) yahoo (dot) gr and purports to be from <UNIVERSITY NAME> UNIVERSITY WEBMAIL TEAM <support@domain.edu>, subject "Confirm Your Email Address!", X-Mailer MIME-tools 5.420 (Entity 5.420).

    --
    Hail Eris, full of mischief...

    E pluribus sanguinem
  3. Better than Squirrelmail? by DirkNiblick · · Score: 0, Offtopic

    This is probably offtopic but I've been using Squirrelmail on my website for years. I like it but it's FUGLY. I've waited those years to see if they planned on maybe getting rid of the frames or adding real CSS in version 2 but I don't see any of that on the horizon. Updates and patches help fix bugs from internal and external sources but don't add much to the experience. I've written plugins and modified the source but those need to be updated/changed on every upgrade. Can SquirrelMail be made to be non-FUGLY?

    I've tried Horde (PITA as mentioned above) and Roundcube is nice but it's been in beta v0.1-rc2 for 2 years and is missing many features found in Squirrelmail. Can anyone point me to a free/open source webmail app alternative to SquirrelMail that's not FUGLY?