Horde/IMP versus Squirrelmail

[Matt Pusateri]

On Tue, May 24, 2005 11:47 am, Steven Champeon said:
<snip>
>
> Well, I dunno about Horde/IMP, but it seems like nearly all of the
> phishing scams I see here (on the order of a dozen or so a day) and
> 419
> scams (on the order of hundreds a day) come from compromised boxes
> running Squirrelmail. The ~30 listed vulnerabilities at security-focus
> don't exactly compel confidence, either. Seems like a pretty good way
> to
> unwittingly get yourself into the world spam/scam conspiracy to me.
> But
> maybe installing Maia Mailguard in front of it will help.
>


Ok, First off I think your ~30 stats are a little mis-leading.  I say
this b/c I searched Security-Focus for SM advisories and got 39 hits. 
But some advisories were listed more than once for the same
vulnerability, such as when Fedora Core 2 & 3 both put out new rpm's
that is being shown as two hits.  Samething with other distro's as
well.  Also some of the vulnerabilities were for PHP, which can affect
SM, but doesn't necessarily.

I've been using SM for at least 2 years and the majority of
vulnerabilites have been cross site scripting vulnerabilities.  Since
SM is a mail client only, I find it hard to believe that SM itself is
responsible for all the Scam emails you have been getting.  I find it
more plausable that the SM box is also an open relay more than SM
being used to unknowingly send Spam/phishing emails.  But that of
course would be the mta not the mua that is the problem. I am also not
aware of any open vulnerabilities in SM, so pretty much any un patched
box would exhibit the same problems not just SM.

I have interpreted from you messsage that somehow you believe the SM
code to be insecure such as to allow remotely run scripts to take
advantage of some SM security hole.  If you indeed know of some
problem, I would hope you would bring it to the attention of the SM
developers so it can be patched, otherwise you are unjustly crying
wolf.

Matt