SquirrelMail

SquirrelMail
Original authorsNathan and Luke Ehresman[1]
DeveloperThe SquirrelMail Project Team
Initial release1999 (1999)
Stable release1.4.22 (12 July 2011 (2011-07-12)) [±]
Written inPHP, C[1]
PlatformWeb platform
Available in56 languages[2]
List of languages
Arabic, Bahasa Indonesia, Bahasa Melayu, Bangladeshi Bengali, Basque, Brazilian Portuguese, British, Bulgarian, Catalan, Chinese Simplified, Chinese Traditional, Croatian, Czech, Danish, Dutch, Estonian, Faroese, Finnish, French, Frisian, Georgian, German, Greek, Hebrew, Hungarian, Icelandic, Indian Bengali, Italian, Japanese, Khmer, Korean, Latvian, Lithuanian, Macedonian, Norwegian Bokmål, Norwegian Nynorsk, Persian, Polish, Portuguese, Romanian, Russian, Russian Ukrainian, Serbian, Sinhala, Slovak, Slovenian, Spanish, Swedish, Tagalog, Tamil, Thai, Turkish, Uighur, Ukrainian, Vietnamese, Welsh
TypeWebmail
LicenseGPL-2.0-or-later
Websitewww.squirrelmail.org
Repositoryhttps://sourceforge.net/projects/squirrelmail/

SquirrelMail is an open-source webmail application written in PHP. It provides a web-based interface for accessing email via the IMAP protocol and sends messages through SMTP. The project also includes a separate IMAP proxy server written in C. Both components are released under the GNU General Public License version 2 or later.[1]

The last numbered stable release was version 1.4.22 in July 2011.[3] Since then, the project has continued through SVN snapshots; the current stable branch (1.4.23-svn) is tested with PHP up to version 8.1. SquirrelMail was once widely deployed and included in the repositories of major Linux distributions,[4][5] but its use has declined since the mid-2010s as hosting providers replaced it with Roundcube and other alternatives.

History

Nathan and Luke Ehresman started SquirrelMail in 1999.[1] The application runs on a LAMP stack or any other platform supporting PHP, and requires access to an IMAP server for mail storage and an SMTP server for sending.[6]

The webmail interface renders HTML 4.0, which made it compatible with a wide range of browsers at the time of its initial release.[6] A plugin architecture allows additional features to be added to the core application, and over 200 plugins were available from the project website.[7]

Apple shipped SquirrelMail as the default webmail application in Mac OS X Server.[8] The software was included in repositories for Fedora,[9] openSUSE,[10] Debian,[11] CentOS,[12] Ubuntu, Gentoo,[13] and FreeBSD.[14]

IMAP proxy

The IMAP proxy component was created in 2002 by Dave McMurtrie at the University of Pittsburgh, where it was called "up-imapproxy".[15] The SquirrelMail team adopted it in 2010. Written in C, the proxy maintains persistent connections to the IMAP server, avoiding the overhead of a new IMAP login on each HTTP request. It compiles on most Unix variants but does not run natively on Microsoft Windows outside of Cygwin or a similar environment.

Decline

The last numbered release, version 1.4.22, was published on 12 July 2011.[3] Subsequent maintenance has been distributed only as SVN snapshots. cPanel removed SquirrelMail in version 78 (2018), replacing it with Roundcube as its default webmail client. Other hosting control panels followed: DirectAdmin disabled SquirrelMail by default for new installations.[16] The SourceForge project page still receives several hundred downloads per week as of 2026.[17]

Security

2007 supply-chain compromise

In December 2007, an attacker gained access to the SquirrelMail file release system on SourceForge through a compromised developer account and replaced the version 1.4.11 and 1.4.12 tarballs with modified copies containing a backdoor allowing remote code execution.[18] Users noticed that the published MD5 checksums did not match the downloaded files. The project initially downplayed the issue, but security researcher Uwe Schindler demonstrated that the modifications opened a full remote code execution path.[18][19] The project released version 1.4.13 as a clean replacement. The source code repository itself was not affected. The incident was assigned CVE-CVE-2007-6348.[20]

Other vulnerabilities

In 2017, a remote code execution vulnerability (CVE-CVE-2017-7692) was disclosed in SquirrelMail's handling of the Sendmail command-line interface. An authenticated user could inject commands through the Return-Path header by using a tab character, allowing arbitrary command execution on the server.[21] In 2025, a cross-site scripting vulnerability (CVE-CVE-2025-30090) was found in the MIME handling code, affecting versions through 1.4.23-svn.[22]

Plugins

The core application is a complete webmail system, but extra features are available through plugins. Over 200 third-party plugins were available for download from the SquirrelMail website, and the project ships with several built-in plugins.[7]

Internationalization

SquirrelMail has been translated into over 50 languages including Arabic, Chinese, French, German, and Spanish.[2]

Deployments

In March 2009, the Prime Minister's Office of India replaced Outlook Express with SquirrelMail after a virus caused a three-month email outage.[23][24] During the outage, messages from citizens went unanswered, and the PMO admitted in a hearing of the Central Information Commission that many emails had not been received.[24]

In 2004, HEC Montréal deployed SquirrelMail as part of its webmail infrastructure, supporting thousands of users.[25]

See also

Wikimedia Commons has media related to SquirrelMail.

References

  1. ^ a b c d "SquirrelMail history". Squirrelmail.org. Retrieved 11 August 2009.
  2. ^ a b "SquirrelMail translation statistics". L10n-stats.squirrelmail.org. 16 June 2009. Retrieved 11 August 2009.
  3. ^ a b "SquirrelMail 1.4.22 Released". SourceForge.net. 12 July 2011. Retrieved 10 March 2026.
  4. ^ "Debian – Package Search Results – squirrelmail". debian.org. Retrieved 6 March 2010.
  5. ^ "Ubuntu – Package Search Results – squirrelmail". ubuntu.com. Retrieved 6 March 2010.
  6. ^ a b "SquirrelMail, a Web-Based Mail Server – O'Reilly Media". onlamp.com. Archived from the original on 25 July 2010. Retrieved 29 July 2010.
  7. ^ a b Wallen, Jack (7 August 2007). "SolutionBase: Taking SquirrelMail to new levels". Articles.techrepublic.com.com. Archived from the original on 31 December 2009. Retrieved 31 October 2010.
  8. ^ "Peachpit: Mac OS X Server Mail Service Boot Camp: Advanced Mailing List Features and Web Mail". 13 October 2006. Retrieved 30 August 2010.
  9. ^ "Fedora Package Database – squirrelmail". fedoraproject.org. Archived from the original on 20 December 2012. Retrieved 6 March 2010.
  10. ^ "Novell: openSUSE 10.3: squirrelmail". novell.com. Archived from the original on 11 April 2011. Retrieved 6 March 2010.
  11. ^ "Debian – Package Search Results – squirrelmail". debian.org. Retrieved 6 March 2010.
  12. ^ "CentOS Package List". centos.org. Archived from the original on 9 March 2010. Retrieved 6 March 2010.
  13. ^ "Gentoo Packages /package/mail-client/squirrelmail". gentoo.org. Archived from the original on 26 September 2010. Retrieved 6 March 2010.
  14. ^ "FreeBSD Ports Search – squirrelmail". freebsd.org. Retrieved 6 March 2010.
  15. ^ "IMAP Proxy home page". Retrieved 15 November 2010.
  16. ^ "SquirrelMail released PHP8 support". DirectAdmin Forums. Retrieved 10 March 2026.
  17. ^ "Project Statistics for SquirrelMail". sourceforge.net. Retrieved 25 July 2018.
  18. ^ a b "The backdooring of SquirrelMail". LWN.net. 19 December 2007. Retrieved 10 March 2026.
  19. ^ "Latest SquirrelMail download compromised". Help Net Security. 14 December 2007. Retrieved 10 March 2026.
  20. ^ "Bug 425291 – CVE-2007-6348 squirrelmail: Compromise of squirrelmail.org/sourceforge". Red Hat Bugzilla. Retrieved 10 March 2026.
  21. ^ "SquirrelMail – Remote Code Execution – CVE-2017-7692". legalhackers.com. Retrieved 10 March 2026.
  22. ^ "CVE-2025-30090". CVE Feed. Retrieved 10 March 2026.
  23. ^ "Microsoft dumped after India PM's emails go AWOL". The Register. 17 March 2009. Retrieved 6 March 2010.
  24. ^ a b "PMO's email system infected for three months". The Times of India. 15 March 2009. Archived from the original on 11 August 2011. Retrieved 6 March 2010.
  25. ^ "HEC Montréal: Deployment of a Large-Scale Mail Installation". linuxjournal.com. 1 May 2004. Retrieved 25 July 2010.


This article is issued from Wikipedia. The text is available under Creative Commons Attribution-Share Alike 4.0 unless otherwise noted. Additional terms may apply for the media files.