SquirrelMail release tarballs enabled remote file inclusion
SquirrelMail 1.4.11 and 1.4.12 release archives were modified after release through a compromised maintainer account, turning official downloads into remote file-inclusion backdoors until 1.4.13 replaced them.
Story
SquirrelMail's December 2007 compromise was found the boring way: the published MD5 sums for 1.4.12 did not match the package sitting on the download servers. The project investigated and concluded that the final release package had been altered after release, likely through a compromised account belonging to one of the release maintainers. The source-control history was not the delivery path; the tainted code was in the official packaged archives.
The first public note sounded cautious because the inserted code seemed to depend on a PHP global variable the maintainers could not immediately trace. Within a day, outside review had turned that uncertainty into a concrete exploit path. The injected logic let a request-supplied HTTP_BASE_PATH value define SM_PATH, which in SquirrelMail's PHP include flow could become remote file inclusion and then server-side code execution.
The scope also widened from 1.4.12 to 1.4.11. SquirrelMail released 1.4.13 on December 14 and told users of both affected versions to upgrade immediately. Red Hat and Fedora bug traffic is useful context: those distributions determined their shipped packages were based on clean tarballs, while the upstream archives themselves were treated as compromised.
The episode is a compact early example of why release artifacts need their own verification trail. The attacker did not need a public commit, a plugin ecosystem, or a complex installer. Replacing the source archive on trusted project infrastructure was enough to put a remote-execution primitive in front of administrators who believed they were downloading a routine webmail maintenance release.
Affected Artifacts
- Observed
- 2007-12-08 to 2007-12-14
- Compromised Versions
- Fixed
- 1.4.13
- Hashes
-
- md5:ea5e750797628c9f0f247009f8ae0e14
- md5:d17c1d9f1ee3dde2c1c21a22fc4f9d0e
- md5:3f6514939ea1ebf69f6f8c92781886ab
- Evidence
- distribution: squirrelmail.org/download.php, distribution: sourceforge.net/projects/squirrelmail/files/stable/1.4.12, cve: CVE-2007-6348, package: squirrelmail-1.4.12.tar.bz2 , +5 more
- Observed
- 2007-12-08 to 2007-12-14
- Compromised Versions
- Fixed
- 1.4.13
- Evidence
- distribution: squirrelmail.org/download.php, distribution: sourceforge.net/projects/squirrelmail/files/stable/1.4.11, cve: CVE-2007-6348, package: squirrelmail-1.4.11 , +3 more
- The project said the altered code did not enter source control; the trusted release packages were the compromised artifacts.
- LWN reported no public evidence that systems had been compromised through the poisoned archives, and Fedora and Red Hat concluded their packaged builds came from clean tarballs.
Incident Context
- Motive
- Unauthorized Access Control
- Cause
- Compromised Account Credentials
- Transitive
- No
External References
- SquirrelMail-devel: SECURITY: 1.4.12 Package Compromisemarc.info
- SquirrelMail-devel discussion of HTTP_BASE_PATH injectionmarc.info
- Bugtraq: ANNOUNCE: SquirrelMail 1.4.13 Releasedmarc.info
- The backdooring of SquirrelMaillwn.net
- SquirrelMail package compromiselwn.net
- SquirrelMail 1.4.13 releasedlwn.net
- Latest SquirrelMail download compromisedhelpnetsecurity.com
- SquirrelMail warns of high-risk package compromisezdnet.com
- CVE-2007-6348 Squirrelmail compromisebugzilla.redhat.com
- Upgrade to SquirrelMail 1.4.13bugzilla.redhat.com
- SquirrelMail package compromise advisorygithub.com
- CNCF TAG Security catalog entry for SquirrelMailtag-security.cncf.io
- SquirrelMail repository poisonedit.slashdot.org
Source record: oss/attacks/squirrelmail/meta.yaml