In association with heise online

03 August 2009, 19:01

SquirrelMail password modules infiltrated

  • Twitter
  • Facebook
  • submit to slashdot
  • StumbleUpon
  • submit to reddit

When it became known that the web servers of the SquirrelMail open-source project had been broken into in late June, the operators initially stated that they didn't believe plug-ins had been modified as a result. Suddenly, they are admitting that the attackers added code to the following plug-ins:

  • sasql-3.2.0
  • multilogin-2.4-1.2.9
  • change_pass-3.0-1.4.0

The new versions steal passwords, among other things, and send them to an offsite server.

There's a lack of more specific information that might allow a user to recognize an infected version of a plug-in, nor is there any explanation of why it took more than a month to discover the tampering. Even a security message on the mailing list makes only vague mention of scheduling conflicts and communication problems as reasons for the server downtime.

The announcement by the SquirrelMail project "strongly recommends" that users of the affected plug-ins reinstall them for the sake of security. The clean versions provided for downloading have the following MD5 sums:

a492922e5b0d2245d4e9bc255a7c5755 sasql-3.2.0.tar.gz
b143f2dc82f9e98dd43c632855255075 multilogin-2.4-1.2.9.tar.gz
2cff7c5d4f6f5d8455683bb5d96bb9fe change_pass-3.0-1.4.0.tar.gz

The announcement doesn't say whether the clean packages on the server delivered the same values before the break-in. The incompetent way this "worst case scenario" has been handled certainly suggests that people should think again about using SquirrelMail.

See also:


Print Version | Send by email | Permalink:

  • July's Community Calendar

The H Open

The H Security

The H Developer

The H Internet Toolkit