SquirrelMail open source project's web server hacked

It has just become apparent that, on June 16, attackers hacked into the web server of the SquirrelMail open source project. The operators have suspended all accounts and reset all crucial passwords. Access to the original server and to all the available plug-ins has also been disabled. The operators believe that none of the plug-ins has been compromised, but investigations are still in progress. Third party plug-ins can be used to add features to SquirrelMail.

It is currently unknown as to how the intruders hacked into the server. According to the server operators, the SquirrelMail web mailer's source code was not accessible at any time because it is located on a different server. However, phishers are currently trying to convince users otherwise with a spamming campaign. In an email, they claim that versions 1.4.11, 1.4.12 and 1.4.13 contain a back door, and that version 1.4.15 has, therefore, been made available to download:

Due to the package compromise of 1.4.11,1.4.12 and 1.4.13, we are forced to release 1.4.15 to ensure no confusions. While initial review didn't uncover a need for concern, several proof of concepts show that the package alterations introduce a high risk security issue, allowing remote inclusion of files. These changes would allow a remote user the ability to execute exploit code on a victim machine, without any user interaction on the victim's server. This could grant the attacker the ability to deploy further code on the victim's server.

We STRONGLY advise all users of 1.4.11, 1.4.12 and 1.4.13 upgrade immediately.

The email contains a link that leads to what apparently looks like a SquirrelMail login page. However, users are redirected to a forged page requesting their user name and password instead. Users should be alerted to the suspicious nature of the alleged warning, because the real current version is 1.4.19. SquirrelMail users have, currently, no reason worry about any manipulations to their server.

(djwm)