SquirrelMail Repository Poisoned with Critical flaw
At the end of last week the SquirrelMail development team placed a public announcement on their website, alerting readers that the primary download repository for SquirrelMail had been compromised, and at least two versions of the popular webmail application had been affected.
While the modification was minor, a simple change to a PHP global variable, it led to the case where the compromised versions of SquirrelMail would allow arbitrary remote code execution. With the earliest affected version (1.4.11) having been made available in late September, it could be that there are a significant number of installations that may now be vulnerable to attack and compromise.
Uncovering the poisoning was the result of a simple piece of validation that a lot of downloaders tend to ignore - verifying that the Md5 signature matches what was just downloaded (even though that practice should be regarded as a weakened security measure). Investigation work from the SquirrelMail team has pointed to the compromise of a release maintainer's account as the probable entry point to modify the available packages for the currently-unidentified attackers.
It is recommended that users and administrators that are using the affected versions (1.4.11 and 1.4.12) should update to version 1.4.13 at the earliest opportunity. Irrespective of the version obtained, or in use, checking the signatures will help mitigate the risk of future compromise being successful.
The dangers of PHP global variables are fairly well-known and this case is an excellent example of how a seemingly minor change can lead to major functionality and security differences (though the SquirrelMail team's initial review did not initially consider the change to have introduced a critical vulnerability). Credit to Cgisecurity for initially uncovering this news.
19 December 2007
Do you like how we cover Information Security news? How about checking out our company services, delivered the same way our news is.
Let our Free OS X Screen Saver deliver the latest security alerts and commentary to your desktop when you're not at your system.Comments will soon be available for registered users.