http://www.beskerming.com/commentary/2007/12/19/313/SquirrelMail_Repository_Poisoned_with_Critical_flaw http://it.slashdot.org/article.pl?sid=07/12/18/1847233 At the end of last week the SquirrelMail development team placed a public announcement on their website, alerting readers that the primary download repository for SquirrelMail had been compromised, and at least two versions of the popular webmail application had been affected. While the modification was minor, a simple change to a PHP global variable, it led to the case where the compromised versions of SquirrelMail would allow arbitrary remote code execution. With the earliest affected version (1.4.11) having been made available in late September, it could be that there are a significant number of installations that may now be vulnerable to attack and compromise. Uncovering the poisoning was the result of a simple piece of validation that a lot of downloaders tend to ignore - verifying that the Md5 signature matches what was just downloaded (even though that practice should be regarded as a weakened security measure). Investigation work from the SquirrelMail team has pointed to the compromise of a release maintainer's account as the probable entry point to modify the available packages for the currently-unidentified attackers. It is recommended that users and administrators that are using the affected versions (1.4.11 and 1.4.12) should update to version 1.4.13 at the earliest opportunity. Irrespective of the version obtained, or in use, checking the signatures will help mitigate the risk of future compromise being successful. The dangers of PHP global variables are fairly well-known and this case is an excellent example of how a seemingly minor change can lead to major functionality and security differences (though the SquirrelMail team's initial review did not initially consider the change to have introduced a critical vulnerability). Credit to Cgisecurity for initially uncovering this news.
Has there been any comment from PlusNet on this topic? I for one have avoided using SquirrelMail as far as humanly possible. Is an alternative in the pipeline?
