Slashdot Mirror

← Back to Stories (view on slashdot.org)

SquirrelMail Repository Poisoned

Posted by kdawson on from the nuts-to-that dept.

SkiifGeek writes "Late last week the SquirrelMail team posted information on their site about a compromise to the main download repository for SquirrelMail that resulted in a critical flaw being introduced into two versions of the webmail application (1.4.11 and 1.4.12). After gaining access to the repository through a release maintainer's compromised account (it is believed), the attackers made a slight modification to the release packages, modifying how a PHP global variable was handled. This introduced a remote file inclusion bug — leading to an arbitrary code execution risk on systems running the vulnerable versions of the software. The poisoning was identified by a difference in MD5 signatures for version 1.4.12. Version 1.4.13 is now available."

14 of 182 comments (clear)

  1. When a member of the team arrived for work by Anonymous Coward · · Score: 4, Funny

    This was the first sign of trouble: http://i23.tinypic.com/2ezqkht.jpg

  2. SquirrelMail team's first response after discovery by Anonymous Coward · · Score: 5, Funny

    ...of the breech: "Aw Nuts!"

  3. You know... by mdm-adph · · Score: 4, Interesting

    ...I've never made sure to always check my MD5 signatures, but I damn sure am now.

    --
    It is by my will alone my thoughts acquire motion; it is by the juice of the coffee bean that the thoughts acquire speed
    1. Re:You know... by KiloByte · · Score: 5, Insightful

      What's the point? If you download the signatures from the same website as the packages, you won't catch any but most lazy/inept attackers. The ones here were that stupid, but come on, this trick works only once.

      In fact, if an attacker can tamper with the website on any point (including a router/proxy on the way), they can change the md5 whenever they change any other communication if they only care enough. For any resilience, you'd need public key cryptography; but even then you will be only as safe as the least safe private key.

      --
      The creatures outside looked from Alt-Right to Antifa; but already it was impossible to say which was which.
    2. Re:You know... by D'Arque+Bishop · · Score: 5, Informative

      Unfortunately, the next guy will just edit the .md5 files to contain the correct signature.

      (For those who don't get it: MD5 only caught it because the 'hacker' didn't think to check for MD5 signatures. They're trivial to regenerate after you change the file.)

      Correction: MD5 caught it because the MD5 files are stored on the main SquirrelMail server and the packages that were altered were stored on SourceForge. The "hacker" didn't have access to the former, so he couldn't change them.

      Hope this helps...

  4. Bad design by Anonymous Coward · · Score: 5, Funny

    Whoever decided that sending mail by using squirrels as couriers through these series of tubes is just damn wrong. Even worse, who are these sick bastards poisoning squirrels?

    1. Re:Bad design by Technomonics · · Score: 5, Funny

      STP (Squirrel transport Protocol) suffers from the same inherent problems as IPOAC(IP over Avian Carrier) in that they are both very vulnerable to a a CITM (Cat In The Middle) attack. If however you were to implement STP over RHB (Roving Hamster Ball), the packet may still be intact yet there may occur an indeterminate amount of delay.

      FWIW

  5. Thank Heaven For Open Source by mpapet · · Score: 5, Insightful

    If this were to happen to a proprietary application you wouldn't get an honest answer from the vendor. The bigger the vendor the worse the response.

    --
    http://www.maxineudall.com/2010/02/should-economists-be-sued-for-malpractice.html
    1. Re:Thank Heaven For Open Source by 99BottlesOfBeerInMyF · · Score: 4, Insightful

      Really? How many vendors of proprietary applications have their source repositories sitting on the Internet with a visible public interface and developers who may never have even met each other logging in from all over the world?

      Considering the trend for outsourcing, probably more than you'd think. A lot more yet simply ship the code off to India or Latvia or somewhere, get it back, perform no real reviews of the code, and ship it out.

      I also like how you blanket-troll all vendors of proprietary applications as if none posses basic ethics.

      He does paint with a bit of a broad brush; but he also has a point. Commercial, closed source vendors are running a business and their primary motivation is money. Sadly, that often means hiding security breaches from users, even when that places those users at risk. OSS projects may have commercial motivations as well, but because of the process they cannot easily hide this type of problem... which is good for users.

  6. Has the compromised account been secured? by Ambiguous+Puzuma · · Score: 4, Interesting

    If the vulnerability was introduced through a compromised account, is there any assurance that that account is no longer compromised? I see no mention of that.

  7. Re:They got lucky by broken_chaos · · Score: 4, Informative

    I don't think they are. MD5 is on the main SquirrelMail site, package is hosted on SourceForge.

  8. Don't trust squirrels! by Jester998 · · Score: 4, Funny

    I, for one, refuse to trust my mail to any creature that can be this devious.

  9. 1.5.1 was compromised as well... by D'Arque+Bishop · · Score: 5, Informative

    One thing that wasn't covered in the story...

    Yesterday morning it was discovered that the 1.5.1 (development) release had been compromised as well. It hadn't been discovered until then as the hacker had modified a different file in a slightly different way. If you're running a version of 1.5.1 that had been downloaded after sometime in late November, then it would be a good idea to remove it or replace it with a SVN release (which was not compromised).

    There's no official announcement yet, but 1.5.1 has been pulled from distribution and an official announcement will probably be forthcoming.

    Hope this helps...

  10. Re:Ouch. Is RoundCube stable yet? by coryking · · Score: 4, Informative

    Why is this modded as a troll?

    Roundcube has great potential, but it isn't nearly as mature as SM. It does seem to be getting better though. The big problem I have with Roundcube is it doesn't have plugins. No plugins = no Sieve filters (avelsieve), which is a big deal to me. No plugins = no other cool things that Squirrelmail has like importing and exporting address books from all kinds of crazy places, no admin plugins, etc...

    Someday though. It has always looked and functioned way nicer than squirrelmail, it just needs more backend sysadmin goodness.