SquirrelMail 1.2.7 security audit results

Application name: SquirrelMail
Homepage: www.squirrelmail.org
Version: 1.2.7
Lines of code: 32707
Date: 19 Jun 2002

Filename: squirrelmail-1.2.7.tar.gz
SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709
MD5: d41d8cd98f00b204e9800998ecf8427e

Status: Preliminary audit results; further efforts abandoned.

Findings

SquirrelMail is pretty much a disaster.

SquirrelMail requires register_globals to be enabled.

SquirrelMail does not place non-browserfiles outside the WWW root. The developers use .htaccess and index.php files to restrict access to to non-browser files.

SquirrelMail uses a single read/write database connection even though most operations are read only. Restricting userids at a database level help mitigate risks of SQL injection.

SquirrelMail requires write access to a directory in the web root.

Further audit efforts have been abandoned until the developers clue in. We advise strongly against using SquirrelMail on Internet connected computers.

(Update, 16 December 2002: versions 1.2.8 and 1.2.9 were both released due to security problems.)