Slashdot Mirror

← Back to Stories (view on slashdot.org)

SquirrelMail Repository Poisoned

Posted by kdawson on from the nuts-to-that dept.

SkiifGeek writes "Late last week the SquirrelMail team posted information on their site about a compromise to the main download repository for SquirrelMail that resulted in a critical flaw being introduced into two versions of the webmail application (1.4.11 and 1.4.12). After gaining access to the repository through a release maintainer's compromised account (it is believed), the attackers made a slight modification to the release packages, modifying how a PHP global variable was handled. This introduced a remote file inclusion bug — leading to an arbitrary code execution risk on systems running the vulnerable versions of the software. The poisoning was identified by a difference in MD5 signatures for version 1.4.12. Version 1.4.13 is now available."

8 of 182 comments (clear)

  1. Re:people needed by Anonymous Coward · · Score: 0, Insightful

    People that play MyMiniCity are gay and lame. They smell funny, too.

  2. Thank Heaven For Open Source by mpapet · · Score: 5, Insightful

    If this were to happen to a proprietary application you wouldn't get an honest answer from the vendor. The bigger the vendor the worse the response.

    --
    http://www.maxineudall.com/2010/02/should-economists-be-sued-for-malpractice.html
    1. Re:Thank Heaven For Open Source by 99BottlesOfBeerInMyF · · Score: 4, Insightful

      Really? How many vendors of proprietary applications have their source repositories sitting on the Internet with a visible public interface and developers who may never have even met each other logging in from all over the world?

      Considering the trend for outsourcing, probably more than you'd think. A lot more yet simply ship the code off to India or Latvia or somewhere, get it back, perform no real reviews of the code, and ship it out.

      I also like how you blanket-troll all vendors of proprietary applications as if none posses basic ethics.

      He does paint with a bit of a broad brush; but he also has a point. Commercial, closed source vendors are running a business and their primary motivation is money. Sadly, that often means hiding security breaches from users, even when that places those users at risk. OSS projects may have commercial motivations as well, but because of the process they cannot easily hide this type of problem... which is good for users.

  3. They got lucky by sqlrob · · Score: 3, Insightful

    MD5 was on the same server. What prevented the attacker from changing that as well?

  4. Re:You know... by KiloByte · · Score: 5, Insightful

    What's the point? If you download the signatures from the same website as the packages, you won't catch any but most lazy/inept attackers. The ones here were that stupid, but come on, this trick works only once.

    In fact, if an attacker can tamper with the website on any point (including a router/proxy on the way), they can change the md5 whenever they change any other communication if they only care enough. For any resilience, you'd need public key cryptography; but even then you will be only as safe as the least safe private key.

    --
    The creatures outside looked from Alt-Right to Antifa; but already it was impossible to say which was which.
  5. Makes me wonder by tuomoks · · Score: 2, Insightful

    Good catch but it makes me wonder how the SC/CM is managed today? Open or closed source is vulnerable for developer access. I can understand that open source projects don't always have resources to run full SC/CM systems but I don't see full control even in some closed source environments I know. It is not difficult but needs some planning and computer resources, not human resources! Almost only places I have seen that kind of system controls are some insurance, banking (less often) and governments (often a mess). It is not just security, mistakes happen, and on long run it always pays back, try to tell that to management(heh!) Maybe I'm biased but after a couple of mishaps a long time ago we implemented a SC/CM system to protect against unverified and/or untested systems going to production and several other companies started using similar methods after us. It really can be automated with some planning. First everybody hates it and 6 months later they love the benefits, as I said, everybody makes mistakes and one command recovery is very nice when that happens before anything goes wrong.

  6. Open vs. Closed Source Security Implications by tfskelly · · Score: 3, Insightful

    I recently wrote a paper arguing that open source is more secure than closed source because finding and fixing flaws is easier in open source. I'm not sure if this incident supports or refutes that argument. In one post at SquirrelMail's blog, they say that 1.412 is compromised. In the next post, they say that 1.411(released Sept 29) and 1.412(released Dec 5) are compromised. If the time between the first compromised release and the fix is 9 days, nice job. If the time between first compromised release and the fix is 2.5 months, I'm not too impressed. Regardless, it looks like the time between discovery of the flaw and patch is only 1 day, which is pretty outstanding. Why did it take so long to find a MD5 error when the MD5 hashs and downloads are posted right next to each other for several months? Did no one check them for that long? Is this the developer's responsibility, or the responsibility of the implementing community? What measures can be taken to prevent this kind of oversight from happening again? I'm not so worried about the compromise itself - projects will get hacked. But there are safeguards to prevent this exact hack from being too effective, and those safeguards didn't work. Why not?

  7. Re:You know... by Anonymous Coward · · Score: 1, Insightful

    MD5 hash is based on the file contents alone. No public key is involved. So yes, the attackers could have just published the hash that matched the compromised archive and no one would have been the wiser.