Slashdot Mirror
SquirrelMail Repository Poisoned
SkiifGeek writes "Late last week the SquirrelMail team posted information on their site about a compromise to the main download repository for SquirrelMail that resulted in a critical flaw being introduced into two versions of the webmail application (1.4.11 and 1.4.12). After gaining access to the repository through a release maintainer's compromised account (it is believed), the attackers made a slight modification to the release packages, modifying how a PHP global variable was handled. This introduced a remote file inclusion bug — leading to an arbitrary code execution risk on systems running the vulnerable versions of the software. The poisoning was identified by a difference in MD5 signatures for version 1.4.12. Version 1.4.13 is now available."
Anyone been using it for a while without any problems?
I've not evaluated it recently. Horde is a PITA to set up and this doesn't give me confidence in the SM team.
If you read the article, or even the summary, it was someone checking the MD5 that discovered the poisioning. So... I'd say it certainly helped.
1.4.11, 1.4.12 and 1.5.1. Same attack bassed on CGI 1.1 specification implemented by PHP.
I don't think they are. MD5 is on the main SquirrelMail site, package is hosted on SourceForge.
I love it, it it very nice on eyes as compared to SquirelMail. I do not use if regularly, but I trust it for whenever it is needed.
"Thanks for all the money you paid to us. We've used it to buy off ISO among other things" -Microsoft
Yes. The article is vague, and the title on /. is worse - implies the source repository. It seems people have been easily mislead as a result. Always read the actual article, not a 2nd or 3rd hand summary.
From there:
"The code modifications did not made it into our source control, just the final package. We are currently investigating older packages to see if they were also compromised. "
Anyone been using it for a while without any problems?
I use it on my site and install it for customers. You won't build a "hotmail" with it, and a rich user client like Thunderbird is almost always a better choice for users, but for those who need web access to their email, it is absolutely great.
Actually, when 1.4.11 and 1.4.12 were released, they were uncompromised. Sometime after one of the developers' accounts was hacked, and the compromised versions were uploaded.
So, if someone (like your techies) had installed 1.4.12 within a few days of its release, chances are they would have gotten an uncompromised version. I had installed 1.4.12 a couple of hours after release, and after the compromise was found I checked and found mine was an authentic release.
For anyone that doesn't get the 'andweeeeeee' tag may I refer you to http://www.threebrain.com/weeeeee.shtml/.
Unfortunately, the next guy will just edit the .md5 files to contain the correct signature.
(For those who don't get it: MD5 only caught it because the 'hacker' didn't think to check for MD5 signatures. They're trivial to regenerate after you change the file.)
Correction: MD5 caught it because the MD5 files are stored on the main SquirrelMail server and the packages that were altered were stored on SourceForge. The "hacker" didn't have access to the former, so he couldn't change them.
Hope this helps...
The issue is that you're working from a bit of a flawed premise. :-)
1.4.11 and 1.4.12 were released uncompromised. In very late November, someone hacked a developer's SourceForge account and uploaded compromised versions of 1.4.11, 1.4.12, and 1.5.1. As soon as the problem was found in the stable branch, an announcement was made and the original 1.4.x versions restored. As soon as someone came onto Freenode #squirrelmail and explained the EXACT security implications of the poisoned releases, 1.4.11 and 1.4.12 were pulled from distribution entirely and 1.4.13 was released. Yesterday morning it was discovered that 1.5.1 was compromised via a different file, and that was pulled from distribution as well.
In other words, the compromised versions were introduced well after the original release, and once the issues were discovered they were swiftly dealt with.
Hope this helps...
One thing that wasn't covered in the story...
Yesterday morning it was discovered that the 1.5.1 (development) release had been compromised as well. It hadn't been discovered until then as the hacker had modified a different file in a slightly different way. If you're running a version of 1.5.1 that had been downloaded after sometime in late November, then it would be a good idea to remove it or replace it with a SVN release (which was not compromised).
There's no official announcement yet, but 1.5.1 has been pulled from distribution and an official announcement will probably be forthcoming.
Hope this helps...
Why is this modded as a troll?
Roundcube has great potential, but it isn't nearly as mature as SM. It does seem to be getting better though. The big problem I have with Roundcube is it doesn't have plugins. No plugins = no Sieve filters (avelsieve), which is a big deal to me. No plugins = no other cool things that Squirrelmail has like importing and exporting address books from all kinds of crazy places, no admin plugins, etc...
Someday though. It has always looked and functioned way nicer than squirrelmail, it just needs more backend sysadmin goodness.
I'm using it for some weeks now... small user base though, about 25 people. Runs fine after I did some small fixes on the identity management and auto user creation features, which had minor bugs on the release I got. But overal it's a great piece of software.
Cosplayers.net - The Cosplayers Network
With a Hollywood movie hacker, you mean. It is theoretically possible for this to be done, but researchers have not accomplished it yet. Just last month someone came close, but it required altering the original program to match the new MD5 collision value: Software Integrity Checksum Vulnerability
But I'm sure it would be no problem for your über-hacker or for Chuck Norris.
Those are my principles. If you don't like them I have others. -Groucho Marx
I thought of RoundCube the instant I saw this article.
I've just installed Round Cube 0.1-RC2 on my webserver to get reliable access to my non-work email. Apart from the dubious 0.1 version number (way to instil confidence in the end users: call an otherwise stable first release 1.0!) it is significantly more reliable than beta1 and even more crisply polished than before.
SquirrelMail and Horde are mature, yes, but they seem to bloat. I just want a lightweight, well-designed web access system so I don't have to use mail2web.com. Keep up the good work RoundCube!
( Redundancy is ) ^ n