We mentioned on Friday that the SquirrelMail download packages were compromised. Although the first statement said that “modifications to the code should have little to no impact at this time” it looks like the situation is rather serious. Here is a news update from SquirrelMail developers.
Due to the package compromise of 1.4.11, and 1.4.12, we are forced to release 1.4.13 to ensure no confusions. While initial review didn’t uncover a need for concern, several proof of concepts show that the package alterations introduce a high risk security issue, allowing remote inclusion of files. These changes would allow a remote user the ability to execute exploit code on a victim machine, without any user interaction on the victim’s server. This could grant the attacker the ability to deploy further code on the victim’s server.
We STRONGLY advise all users of 1.4.11, and 1.4.12 upgrade immediately.