SECURITY: SquirrelMail Webserver Compromised

Published: June 16th, 2009 by Jonathan Angliss

At approximately 1700 GMT, on June 16, it was discovered that the SquirrelMail webserver had been compromised. The project administrators took immediate action to mitigate any futher compromises, locking all accounts out, and resetting critical passwords.

At this time, the SquirrelMail project administrators have shut down access to the original server, and put a temporary hold on access to the plugins. It is believed that none of the plugins have been compromised, but further investigations are still being executed.

The compromise of this server does not include a compromise of the source control, which is hosted on a separate repository managed by SourceForge.

Further details will be published as soon as the details have been uncovered.

ANNOUNCE: SquirrelMail 1.4.19 Released

Published: May 21, 2009 by Thijs Kinkhorst
The security fix to map_yp_alias in 1.4.18 turned out to be incomplete. We also experienced some regressions in the updated filter plugin. Both are addressed in this new release 1.4.19 which contains a few other small fixes aswell. If you do not use map_yp_alias or the filters plugin there's no urgent need to upgrade now if you already installed 1.4.18.

You can download it here.

ANNOUNCE: SquirrelMail Needs Your Help - Please Donate!

Published: May 18, 2009 by Paul Lesniewski
SquirrelMail is currently celebrating 10 years of providing free, Open Source Software to the world. We have a lot to be grateful for and many people to thank for how successful we've been! But running a high-profile project with all-volunteer labor means that the mundane chores gradually consume all our effort and sideline our visionary initiatives for our next big release. We feel that the time is right, after so many years of free service, to ask our community to contribute to the project and support us in keeping up with ongoing maintenance and development, and in speeding up the release of our new, fully-skinable "Web 2.0" version. Please visit our donations and bounties page.

ANNOUNCE: SquirrelMail 1.4.18 Released

Published: May 11, 2009 by Paul Lesniewski
The SquirrelMail Team is pleased to announce the release of SquirrelMail version 1.4.18. The most notable changes for this version are several security fixes, including a couple XSS exploits, a session fixation issue, and an obscure but dangerous server-side code execution hole. However, this version also includes three new languages and more than a few enhancements to things such as the filters plugin, the address book system and other things under the hood. For more complete details, see the ReleaseNotes and ChangeLog files included in this release (they have moved to the doc/ directory). We advise all users of SquirrelMail software to upgrade. You can download it here.

NEWS: SquirrelMail replaces Microsoft Outlook in the office of the Indian Prime Minister

Published: Mar 24, 2009 by Paul Lesniewski
Several news outlets (Techgoss, infopackets, The Register, The Times of India, etc.) are reporting that after a virus prevented email retrieval for three months in the office of the Prime Minister of India, SquirrelMail was chosen as part of a replacement system that had previously been based on Microsoft products. This surely means that several other Open Source products were included in the switch, and we applaud both the Office Of the Prime Minister and its technology consultants who made the switch to Open Source Software!

SECURITY: Spam Alert

Published: Feb 23, 2009 by Paul Lesniewski
The spammer that has been sullying our good name for the past year continues to send out huge amounts of spam encouraging people to supposedly upgrade to what they claim is our newest version, 1.4.15. That is in fact not our newest version, but moreover, they provide a link in their spam that sends the victim to a login page that looks like the normal SquirrelMail login page - if you input any credentials on this page, of course, the spammer takes them and most likely uses them to send spam from your email account. You can NEVER upgrade SquirrelMail by simply "logging in" somewhere. The SquirrelMail team NEVER sends out unsolicited email, especially any that require your personal email username and password!

SECURITY: Plugins Security Alert

Published: Feb 04, 2009 by Paul Lesniewski
We are sorry to announce that we've had a security breach with our plugins system. An attacker uploaded at least four modified plugin packages, which we have since rectified. If you have downloaded any of the following plugins since January 17, 2009, you should immediately replace them (download them again):
AnnotateMore Server and Mailbox Annotations version 0.2
CAPTCHA version 1.1
Change LDAP Password version 2.2
Sieve Mail Filters version 1.9.7
Screen shots