Last Updated: 2007-12-14 20:22:46 UTC
by Stephen Hall (Version: 1)
The analysis of the Squirrelmail 1.4.12 code base is in, and it would look more serious than first thought. 1.4.11 would appear to have also been affected, so they have released 1.4.13 and have posted the following announcement:
Due to the package compromise of 1.4.11, and 1.4.12, we are forced to release 1.4.13 to ensure no confusions. While initial review didn't uncover a need for concern, several proof of concepts show that the package alterations introduce a high risk security issue, allowing remote inclusion of files. These changes would allow a remote user the ability to execute exploit code on a victim machine, without any user interaction on the victim's server. This could grant the attacker the ability to deploy further code on the victim's server.
Details, and the updated bundles (please remember to check those MD5's and PGP sig's) at www.squirrelmail.org/