Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
SquirrelMail Repository Poisoned with Critical flaw
Topic Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Printer Friendly Page
- Plusnet Community
- :
- Forum
- :
- Other forums
- :
- Tech Help - Software/Hardware etc
- :
- SquirrelMail Repository Poisoned with Critical fla...
SquirrelMail Repository Poisoned with Critical flaw
18-12-2007 8:52 PM
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Highlight
- Report to Moderator
http://www.beskerming.com/commentary/2007/12/19/313/SquirrelMail_Repository_Poisoned_with_Critical_flaw
http://it.slashdot.org/article.pl?sid=07/12/18/1847233
At the end of last week the SquirrelMail development team placed a public announcement on their website, alerting readers that the primary download repository for SquirrelMail had been compromised, and at least two versions of the popular webmail application had been affected.
While the modification was minor, a simple change to a PHP global variable, it led to the case where the compromised versions of SquirrelMail would allow arbitrary remote code execution. With the earliest affected version (1.4.11) having been made available in late September, it could be that there are a significant number of installations that may now be vulnerable to attack and compromise.
Uncovering the poisoning was the result of a simple piece of validation that a lot of downloaders tend to ignore - verifying that the Md5 signature matches what was just downloaded (even though that practice should be regarded as a weakened security measure). Investigation work from the SquirrelMail team has pointed to the compromise of a release maintainer's account as the probable entry point to modify the available packages for the currently-unidentified attackers.
It is recommended that users and administrators that are using the affected versions (1.4.11 and 1.4.12) should update to version 1.4.13 at the earliest opportunity. Irrespective of the version obtained, or in use, checking the signatures will help mitigate the risk of future compromise being successful.
The dangers of PHP global variables are fairly well-known and this case is an excellent example of how a seemingly minor change can lead to major functionality and security differences (though the SquirrelMail team's initial review did not initially consider the change to have introduced a critical vulnerability). Credit to Cgisecurity for initially uncovering this news.
Has there been any comment from PlusNet on this topic? I for one have avoided using SquirrelMail as far as humanly possible. Is an alternative in the pipeline?
http://it.slashdot.org/article.pl?sid=07/12/18/1847233
At the end of last week the SquirrelMail development team placed a public announcement on their website, alerting readers that the primary download repository for SquirrelMail had been compromised, and at least two versions of the popular webmail application had been affected.
While the modification was minor, a simple change to a PHP global variable, it led to the case where the compromised versions of SquirrelMail would allow arbitrary remote code execution. With the earliest affected version (1.4.11) having been made available in late September, it could be that there are a significant number of installations that may now be vulnerable to attack and compromise.
Uncovering the poisoning was the result of a simple piece of validation that a lot of downloaders tend to ignore - verifying that the Md5 signature matches what was just downloaded (even though that practice should be regarded as a weakened security measure). Investigation work from the SquirrelMail team has pointed to the compromise of a release maintainer's account as the probable entry point to modify the available packages for the currently-unidentified attackers.
It is recommended that users and administrators that are using the affected versions (1.4.11 and 1.4.12) should update to version 1.4.13 at the earliest opportunity. Irrespective of the version obtained, or in use, checking the signatures will help mitigate the risk of future compromise being successful.
The dangers of PHP global variables are fairly well-known and this case is an excellent example of how a seemingly minor change can lead to major functionality and security differences (though the SquirrelMail team's initial review did not initially consider the change to have introduced a critical vulnerability). Credit to Cgisecurity for initially uncovering this news.
Has there been any comment from PlusNet on this topic? I for one have avoided using SquirrelMail as far as humanly possible. Is an alternative in the pipeline?
1 REPLY 1
Re: SquirrelMail Repository Poisoned with Critical flaw
18-12-2007 9:28 PM
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Highlight
- Report to Moderator
Hi
We have not updated to 1.4.11 (or later) yet so I don't think this will affect us.
We have not updated to 1.4.11 (or later) yet so I don't think this will affect us.
Topic Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Printer Friendly Page
- Plusnet Community
- :
- Forum
- :
- Other forums
- :
- Tech Help - Software/Hardware etc
- :
- SquirrelMail Repository Poisoned with Critical fla...