SquirrelMail Repository Poisoned

← Back to Stories (view on slashdot.org)

SquirrelMail Repository Poisoned

Posted by kdawson on Tuesday December 18, 2007 @07:47AM from the nuts-to-that dept.

SkiifGeek writes "Late last week the SquirrelMail team posted information on their site about a compromise to the main download repository for SquirrelMail that resulted in a critical flaw being introduced into two versions of the webmail application (1.4.11 and 1.4.12). After gaining access to the repository through a release maintainer's compromised account (it is believed), the attackers made a slight modification to the release packages, modifying how a PHP global variable was handled. This introduced a remote file inclusion bug — leading to an arbitrary code execution risk on systems running the vulnerable versions of the software. The poisoning was identified by a difference in MD5 signatures for version 1.4.12. Version 1.4.13 is now available."

9 of 182 comments (clear)

When a member of the team arrived for work by Anonymous Coward · 2007-12-18 07:49 · Score: 4, Funny

This was the first sign of trouble: http://i23.tinypic.com/2ezqkht.jpg
1. Re:When a member of the team arrived for work by Mipoti+Gusundar · 2007-12-18 08:15 · Score: 0, Funny
  
  Sahib, first sign of trouble was using that gosdarnable PHP. What ruddy pile of the total pooeypoopoo!
  
  --
  Will code for new sig.
SquirrelMail team's first response after discovery by Anonymous Coward · 2007-12-18 07:52 · Score: 5, Funny

...of the breech: "Aw Nuts!"
SquirrelMail is poisoned, so... by batquux · 2007-12-18 07:59 · Score: 2, Funny

Horde FTW!
Bad design by Anonymous Coward · 2007-12-18 08:05 · Score: 5, Funny

Whoever decided that sending mail by using squirrels as couriers through these series of tubes is just damn wrong. Even worse, who are these sick bastards poisoning squirrels?
1. Re:Bad design by Technomonics · 2007-12-18 08:31 · Score: 5, Funny
  
  STP (Squirrel transport Protocol) suffers from the same inherent problems as IPOAC(IP over Avian Carrier) in that they are both very vulnerable to a a CITM (Cat In The Middle) attack. If however you were to implement STP over RHB (Roving Hamster Ball), the packet may still be intact yet there may occur an indeterminate amount of delay.
  
  FWIW
Don't trust squirrels! by Jester998 · 2007-12-18 08:21 · Score: 4, Funny

I, for one, refuse to trust my mail to any creature that can be this devious.
"andweeee. . ." Tag by aquatone282 · 2007-12-18 10:24 · Score: 2, Funny

Slashdot tags are now officially funnier than the posts themselves.

--
What?
It's always some by tkid · 2007-12-18 14:41 · Score: 2, Funny

developer that somehow allows some crackers into the system or network.. no pun intended. My present employer now, we had a developers machine get compromised, it was sweet walking over to his machine and unplugging his network cable while he was working, along with the phrase, "we'll let you know when you can plug it back in after we wipe your machine."