SquirrelMail password modules infiltrated
When it became known that the web servers of the SquirrelMail open-source project had been broken into in late June, the operators initially stated that they didn't believe plug-ins had been modified as a result. Suddenly, they are admitting that the attackers added code to the following plug-ins:
- sasql-3.2.0
- multilogin-2.4-1.2.9
- change_pass-3.0-1.4.0
The new versions steal passwords, among other things, and send them to an offsite server.
There's a lack of more specific information that might allow a user to recognize an infected version of a plug-in, nor is there any explanation of why it took more than a month to discover the tampering. Even a security message on the mailing list makes only vague mention of scheduling conflicts and communication problems as reasons for the server downtime.
The announcement by the SquirrelMail project "strongly recommends" that users of the affected plug-ins reinstall them for the sake of security. The clean versions provided for downloading have the following MD5 sums:
a492922e5b0d2245d4e9bc255a7c5755 | sasql-3.2.0.tar.gz |
b143f2dc82f9e98dd43c632855255075 | multilogin-2.4-1.2.9.tar.gz |
2cff7c5d4f6f5d8455683bb5d96bb9fe | change_pass-3.0-1.4.0.tar.gz |
The announcement doesn't say whether the clean packages on the server delivered the same values before the break-in. The incompetent way this "worst case scenario" has been handled certainly suggests that people should think again about using SquirrelMail.
See also:
- SECURITY: SquirrelMail Webserver Compromise Update, and Plugin Status, from Jonathan Angliss, SquirrelMail
(djwm)