Shirt a Phobia

Sample Page

SquirrelMail is an open-source webmail application written in PHP. It provides a web-based interface for accessing email via the IMAP protocol and sends messages through SMTP. The project also includes a separate IMAP proxy server written in C. Both components are released under the GNU General Public License version 2 or later.[1]

The last numbered stable release was version 1.4.22 in July 2011.[3] Since then, the project has continued through SVN snapshots; the current stable branch (1.4.23-svn) is tested with PHP up to version 8.1. SquirrelMail was once widely deployed and included in the repositories of major Linux distributions,[4][5] but its use has declined since the mid-2010s as hosting providers replaced it with Roundcube and other alternatives.

History

Nathan and Luke Ehresman started SquirrelMail in 1999.[1] The application runs on a LAMP stack or any other platform supporting PHP, and requires access to an IMAP server for mail storage and an SMTP server for sending.[6]

The webmail interface renders HTML 4.0, which made it compatible with a wide range of browsers at the time of its initial release.[6] A plugin architecture allows additional features to be added to the core application, and over 200 plugins were available from the project website.[7]

Apple shipped SquirrelMail as the default webmail application in Mac OS X Server.[8] The software was included in repositories for Fedora,[9] openSUSE,[10] Debian,[11] CentOS,[12] Ubuntu, Gentoo,[13] and FreeBSD.[14]

IMAP proxy

The IMAP proxy component was created in 2002 by Dave McMurtrie at the University of Pittsburgh, where it was called “up-imapproxy”.[15] The SquirrelMail team adopted it in 2010. Written in C, the proxy maintains persistent connections to the IMAP server, avoiding the overhead of a new IMAP login on each HTTP request. It compiles on most Unix variants but does not run natively on Microsoft Windows outside of Cygwin or a similar environment.

Decline

The last numbered release, version 1.4.22, was published on 12 July 2011.[3] Subsequent maintenance has been distributed only as SVN snapshots. cPanel removed SquirrelMail in version 78 (2018), replacing it with Roundcube as its default webmail client. Other hosting control panels followed: DirectAdmin disabled SquirrelMail by default for new installations.[16] The SourceForge project page still receives several hundred downloads per week as of 2026.[17]

Security

2007 supply-chain compromise

In December 2007, an attacker gained access to the SquirrelMail file release system on SourceForge through a compromised developer account and replaced the version 1.4.11 and 1.4.12 tarballs with modified copies containing a backdoor allowing remote code execution.[18] Users noticed that the published MD5 checksums did not match the downloaded files. The project initially downplayed the issue, but security researcher Uwe Schindler demonstrated that the modifications opened a full remote code execution path.[18][19] The project released version 1.4.13 as a clean replacement. The source code repository itself was not affected. The incident was assigned CVECVE-2007-6348.[20]

Other vulnerabilities

In 2017, a remote code execution vulnerability (CVECVE-2017-7692) was disclosed in SquirrelMail’s handling of the Sendmail command-line interface. An authenticated user could inject commands through the Return-Path header by using a tab character, allowing arbitrary command execution on the server.[21] In 2025, a cross-site scripting vulnerability (CVECVE-2025-30090) was found in the MIME handling code, affecting versions through 1.4.23-svn.[22]

Plugins

The core application is a complete webmail system, but extra features are available through plugins. Over 200 third-party plugins were available for download from the SquirrelMail website, and the project ships with several built-in plugins.[7]

Internationalization

SquirrelMail has been translated into over 50 languages including Arabic, Chinese, French, German, and Spanish.[2]

Deployments

In March 2009, the Prime Minister’s Office of India replaced Outlook Express with SquirrelMail after a virus caused a three-month email outage.[23][24] During the outage, messages from citizens went unanswered, and the PMO admitted in a hearing of the Central Information Commission that many emails had not been received.[24]

In 2004, HEC Montréal deployed SquirrelMail as part of its webmail infrastructure, supporting thousands of users.[25]

See also

References

  1. ^ a b c d “SquirrelMail history”. Squirrelmail.org. Retrieved 11 August 2009.
  2. ^ a b “SquirrelMail translation statistics”. L10n-stats.squirrelmail.org. 16 June 2009. Retrieved 11 August 2009.
  3. ^ a b “SquirrelMail 1.4.22 Released”. SourceForge.net. 12 July 2011. Retrieved 10 March 2026.
  4. ^ “Debian – Package Search Results – squirrelmail”. debian.org. Retrieved 6 March 2010.
  5. ^ “Ubuntu – Package Search Results – squirrelmail”. ubuntu.com. Retrieved 6 March 2010.
  6. ^ a b “SquirrelMail, a Web-Based Mail Server – O’Reilly Media”. onlamp.com. Archived from the original on 25 July 2010. Retrieved 29 July 2010.
  7. ^ a b Wallen, Jack (7 August 2007). “SolutionBase: Taking SquirrelMail to new levels”. Articles.techrepublic.com.com. Archived from the original on 31 December 2009. Retrieved 31 October 2010.
  8. ^ “Peachpit: Mac OS X Server Mail Service Boot Camp: Advanced Mailing List Features and Web Mail”. 13 October 2006. Retrieved 30 August 2010.
  9. ^ “Fedora Package Database – squirrelmail”. fedoraproject.org. Archived from the original on 20 December 2012. Retrieved 6 March 2010.
  10. ^ “Novell: openSUSE 10.3: squirrelmail”. novell.com. Archived from the original on 11 April 2011. Retrieved 6 March 2010.
  11. ^ “Debian – Package Search Results – squirrelmail”. debian.org. Retrieved 6 March 2010.
  12. ^ “CentOS Package List”. centos.org. Archived from the original on 9 March 2010. Retrieved 6 March 2010.
  13. ^ “Gentoo Packages /package/mail-client/squirrelmail”. gentoo.org. Archived from the original on 26 September 2010. Retrieved 6 March 2010.
  14. ^ “FreeBSD Ports Search – squirrelmail”. freebsd.org. Retrieved 6 March 2010.
  15. ^ “IMAP Proxy home page”. Retrieved 15 November 2010.
  16. ^ “SquirrelMail released PHP8 support”. DirectAdmin Forums. Retrieved 10 March 2026.
  17. ^ “Project Statistics for SquirrelMail”. sourceforge.net. Retrieved 25 July 2018.
  18. ^ a b “The backdooring of SquirrelMail”. LWN.net. 19 December 2007. Retrieved 10 March 2026.
  19. ^ “Latest SquirrelMail download compromised”. Help Net Security. 14 December 2007. Retrieved 10 March 2026.
  20. ^ “Bug 425291 – CVE-2007-6348 squirrelmail: Compromise of squirrelmail.org/sourceforge”. Red Hat Bugzilla. Retrieved 10 March 2026.
  21. ^ “SquirrelMail – Remote Code Execution – CVE-2017-7692”. legalhackers.com. Retrieved 10 March 2026.
  22. ^ “CVE-2025-30090”. CVE Feed. Retrieved 10 March 2026.
  23. ^ “Microsoft dumped after India PM’s emails go AWOL”. The Register. 17 March 2009. Retrieved 6 March 2010.
  24. ^ a b “PMO’s email system infected for three months”. The Times of India. 15 March 2009. Archived from the original on 11 August 2011. Retrieved 6 March 2010.
  25. ^ “HEC Montréal: Deployment of a Large-Scale Mail Installation”. linuxjournal.com. 1 May 2004. Retrieved 25 July 2010.