SquirrelMail plugin archives stole passwords

SquirrelMail had another distribution problem in 2009, but this one lived in the plugin channel rather than the core webmail release. The project disclosed in June that its web server had been compromised, locked accounts, reset critical passwords, and took the plugin repository offline while it investigated. At first, the team said it believed the plugins themselves had not been altered.

The follow-up was worse. On July 30, SquirrelMail announced that three plugin packages on its own site were in fact compromised: sasql-3.2.0, multilogin-2.4-1.2.9, and change_pass-3.0-1.4.0. Those were not lookalike downloads. They were plugins administrators expected to obtain from the SquirrelMail plugin repository.

The injected PHP attempted to send mail to an offsite server containing passwords. That made the affected plugin set especially sensitive: two of the names, multilogin and change_pass, sit close to authentication and account-management workflows, where administrators would least want silent exfiltration code running inside the webmail stack.

SquirrelMail could not establish when the plugin packages had been modified. The practical advice was blunt: anyone using the affected versions should download fresh copies and compare against the clean MD5 hashes published with the July 30 notice. Unlike the 2007 release-tarball incident, this compromise came after an already-known server intrusion and showed why "we think the downloads are fine" has to be treated as a hypothesis until every artifact has been re-verified.

Motive

Credential Theft

Cause

Compromised Infrastructure

Transitive

No

• SquirrelMail plugins compromisedlwn.net
• SquirrelMail announce mailing listsourceforge.net
• Plugins compromised in SquirrelMail's web server hackzdnet.com
• SquirrelMail open source email project hackedinfosecurity-magazine.com