SquirrelMail Repository Poisoned

← Back to Stories (view on slashdot.org)

SquirrelMail Repository Poisoned

Posted by kdawson on Tuesday December 18, 2007 @07:47AM from the nuts-to-that dept.

SkiifGeek writes "Late last week the SquirrelMail team posted information on their site about a compromise to the main download repository for SquirrelMail that resulted in a critical flaw being introduced into two versions of the webmail application (1.4.11 and 1.4.12). After gaining access to the repository through a release maintainer's compromised account (it is believed), the attackers made a slight modification to the release packages, modifying how a PHP global variable was handled. This introduced a remote file inclusion bug — leading to an arbitrary code execution risk on systems running the vulnerable versions of the software. The poisoning was identified by a difference in MD5 signatures for version 1.4.12. Version 1.4.13 is now available."

6 of 182 comments (clear)

Min score:

Reason:

Sort:

You know... by mdm-adph · 2007-12-18 07:59 · Score: 4, Interesting

...I've never made sure to always check my MD5 signatures, but I damn sure am now.

--
It is by my will alone my thoughts acquire motion; it is by the juice of the coffee bean that the thoughts acquire speed
1. Re:You know... by araemo · 2007-12-18 08:17 · Score: 2, Interesting
  
  ...I've never made sure to always check my MD5 signatures, but I damn sure am now. Unfortunately, the next guy will just edit the .md5 files to contain the correct signature.
  
  (For those who don't get it: MD5 only caught it because the 'hacker' didn't think to check for MD5 signatures. They're trivial to regenerate after you change the file.)
  
  GPG signing is more secure, but if the secret key is compromised, they can be faked as well. That said, there are at least revocation procedures that can catch it even if you don't read the news.
2. Re:You know... by Nasarius · 2007-12-18 08:30 · Score: 2, Interesting
  
  Exactly! I don't understand why GnuPG signatures aren't in common use in the open-source world. Gentoo and other distros use them to sign packages, but if there's a weak link upstream, that's no good. It requires some extra infrastructure (a central key server for well-established developers/release engineers would be nice), but once you had that set up, verifying any package would be automatic.
  GPG signing is more secure, but if the secret key is compromised, they can be faked as well.
  And that's relatively unlikely, since an attacker would need both the key and its password.
  
  --
  LOAD "SIG",8,1
Has the compromised account been secured? by Ambiguous+Puzuma · 2007-12-18 08:09 · Score: 4, Interesting

If the vulnerability was introduced through a compromised account, is there any assurance that that account is no longer compromised? I see no mention of that.
Re:Thank Heaven For Open Source by DigitAl56K · 2007-12-18 08:20 · Score: 3, Interesting

Really? How many vendors of proprietary applications have their source repositories sitting on the Internet with a visible public interface and developers who may never have even met each other logging in from all over the world?

I also like how you blanket-troll all vendors of proprietary applications as if none posses basic ethics.
Alternative webmail? by Tweekster · 2007-12-18 13:58 · Score: 2, Interesting

Seriously, the state of webmail is pretty sad. Is there any promising projects for a MODERN webmail system out there? (Not a full collab package, or a heavy HEAVY ajax system)

OSS or closed source, it doesnt matter to me, just anything that is good. Squirrelmail is what I use right now, and well its ugly and it doesnt seem like they ever plan on making it look like a modern webmail client should.

--
The phrase "more better" is acceptable English. suck it grammar Nazis