SquirrelMail Repository Poisoned

SkiifGeek writes "Late last week the SquirrelMail team posted information on their site about a compromise to the main download repository for SquirrelMail that resulted in a critical flaw being introduced into two versions of the webmail application (1.4.11 and 1.4.12). After gaining access to the repository through a release maintainer's compromised account (it is believed), the attackers made a slight modification to the release packages, modifying how a PHP global variable was handled. This introduced a remote file inclusion bug — leading to an arbitrary code execution risk on systems running the vulnerable versions of the software. The poisoning was identified by a difference in MD5 signatures for version 1.4.12. Version 1.4.13 is now available."

When a member of the team arrived for work

[Anonymous Coward]

This was the first sign of trouble: http://i23.tinypic.com/2ezqkht.jpg [tinypic.com]

SquirrelMail team's first response after discovery

[Anonymous Coward]

...of the breech: "Aw Nuts!"

SquirrelMail is poisoned, so...

[batquux]

Horde FTW!

The Horde for the what?

[MrZaius]

Unfortunately the Horde doesn't require intervention at in the code repo to be compromised. One of my clients has a Horde:IMP install has been compromised three different times this year with three different versions.

You know...

[mdm-adph]

...I've never made sure to always check my MD5 signatures, but I damn sure am now.

Re:You know...

[KiloByte]

What's the point? If you download the signatures from the same website as the packages, you won't catch any but most lazy/inept attackers. The ones here were that stupid, but come on, this trick works only once.

In fact, if an attacker can tamper with the website on any point (including a router/proxy on the way), they can change the md5 whenever they change any other communication if they only care enough. For any resilience, you'd need public key cryptography; but even then you will be only as safe as the least safe private key.

Re:

[myvirtualid]

check my MD5 signatures

What's the point?

What's the point, indeed. We should have moved away from MD5 signatures years ago. It's only a matter of time before some maliciously inclined asshat starts forging MD5 signatures on FLOSS packages, just to prove a point.

MD5 is broken [schneier.com] and should [wikipedia.org] not be used [cryptography.com]. It's time the FLOSS world went to at least SHA-224, if not SHA-512 (for future proofing, lots of bits). And just for reference, there is an open call [nist.gov] for a new secure hash [schneier.com].

Re:

[OrangeTide]

When you use the MD5's you check against the main site. to see if the mirror was compromised. If the main site is compromised then there is nothing MD5 can do to help you. nor can SHA256 help you there either. What you need is a full on asymmetric digital signature, with a well trusted key posted long before releases are signed. So they can be verified independently.

Re:

[mr_mischief]

That will probably help if the problem's been discovered already. It won't help much if it comes up with legit download sites and no news about the breach. Still, it's another thing to check.

Re:

[araemo]

...I've never made sure to always check my MD5 signatures, but I damn sure am now.

Unfortunately, the next guy will just edit the .md5 files to contain the correct signature.

(For those who don't get it: MD5 only caught it because the 'hacker' didn't think to check for MD5 signatures. They're trivial to regenerate after you change the file.)

GPG signing is more secure, but if the secret key is compromised, they can be faked as well. That said, there are at least revocation procedures that can catch it even if you don't read the news.

Re:

[Nasarius]

Exactly! I don't understand why GnuPG signatures aren't in common use in the open-source world. Gentoo and other distros use them to sign packages, but if there's a weak link upstream, that's no good. It requires some extra infrastructure (a central key server for well-established developers/release engineers would be nice), but once you had that set up, verifying any package would be automatic.

GPG signing is more secure, but if the secret key is compromised, they can be faked as well.

And that's relatively

Not just Gentoo.

[Kadin2048]

Debian uses GPG to sign packages as well. I don't know about RedHat's RPM system, although I assume it must use some sort of cryptographic validation on binary packages; it's just too much of a weak link to ignore completely.

Re:

[Intron]

rpm --checksig <package_file>

                    This checks the PGP signature of package to
                    ensure its integrity and origin.

Re:You know...

[D'Arque Bishop]

Unfortunately, the next guy will just edit the .md5 files to contain the correct signature.

(For those who don't get it: MD5 only caught it because the 'hacker' didn't think to check for MD5 signatures. They're trivial to regenerate after you change the file.)

Correction: MD5 caught it because the MD5 files are stored on the main SquirrelMail server and the packages that were altered were stored on SourceForge. The "hacker" didn't have access to the former, so he couldn't change them.

Hope this helps...

Re:

[dbc001]

So it sounds like the lesson here is to store your signatures on a server that's separate from your release server - that's actually good news. It means that relatively trivial security can go a long way towards detecting these kinds of attacks. In fact, if the releases are posted on a website other than sourceforge, you can probably limit any damage to a very small group of people, even if you do get compromised.

Re:

[D'Arque Bishop]

Isn't creating MD5 collisions (making your changed file match the original MD5 value) something that can be done on a PC nowadays with stuff like this

Current (and future, very likely) releases now have PGP signatures in addition to MD5 signatures. PGP signatures would be a lot more difficult to fake. :-)

Hope this helps...

Re:

[Amouth]

and i would argue that being able to fake both at the same time would be near imposiable

Re:

[chgros]

Isn't creating MD5 collisions (making your changed file match the original MD5 value) something that can be done on a PC nowadays
Thankfully, no!
What's easy is to create 2 files with the same MD5. What's still hard is to create a file with the same MD5 as an existing file.

Re:

[gmack]

What's easy is to create 2 files with the same MD5. What's still hard is to create a file with the same MD5 as an existing file.

Or more to the point hard to create a file with the same MD5 and still manages to contain functional code

You can do anything you want with random characters but uploading that would have been pointless.

Re:

[chgros]

Or more to the point hard to create a file with the same MD5 and still manages to contain functional code
Actually that's not that hard [slashdot.org].

Re:

[JebusIsLord]

In this specific case the cracker would have to create a functioning tarball that WHEN COMPRESSED had the exact correct MD5 signature. Next to impossible, i'd say.

Re:

[chgros]

Actually, it's probably pretty easy to generate a file that compresses to a given string (just uncompress the target). So I'd say the tarball layer is almost irrelevant.
In any case, the fact that you cannot easily create an md5 preimage is the important fact (md5 was mostly designed for this thing to be hard to do).

Re:

[aj50]

Sure, getting another file with the same MD5 might be easy enough, getting one that appears to work like squirrel mail except with a critical vulnerability that has the same md5 hash is a different matter.

Re:

[petermgreen]

afaict many distros do something similar but it only helps if you are using distro packages. Once you move outside of that for whatever reason you are pretty much on your own.

Re:

[brunes69]

If the attacker had access to the main download site and was not a complete ass, they would have just changed the MD5 as well.

Re:

[MikeyVB]

...I've never made sure to always check my MD5 signatures, but I damn sure am now.

Sort of like backups, isn't it? We all know we should do it, but we never really do until it is too late...

Re:

[secPM_MS]

Just a note. The continued reliance upon MD5 is an issue in itself, given the advances in hash analysis over the past decade. At this point it would be wise to go with SHA-256, or if you really want to reduce the number of bits, the first or last 128 bits from a SHA-256 hash.

Even Ubuntu doesn't seem to care about MD5

[KWTm]

Even the Ubuntu community doesn't seem to be concerned about a MD5 discrepancy. The CD-ROM image for the newest Kubuntu, found at http://torrent.ubuntu.com6969/ [torrent.ubuntu.com6969] shows that the MD5 hash is:
6709ff39ea47d3563b537b67153f60ee0c932a93

When I downloaded the ISO through BitTorrent, though, I found this instead:

kwtm@host ~/isocd$ md5sum kubuntu-7.10-desktop-i386.iso
ae9b209fe4b9caf545fa2011631de797 kubuntu-7.10-desktop-i386.iso

I mean, this is coming through BitTorrent, so other than myself, there must be thousands o

Re:

[hankwang]

found at http://torrent.ubuntu.com6969/ [torrent.ubuntu.com6969] shows that the MD5 hash is: 6709ff39ea47d3563b537b67153f60ee0c932a93

That's funny, because an md5 checksum is always 128 bits, i.e. 32 bytes. Read the bottom of the page: info hash: SHA1 hash of the "info" section of the metainfo (*.torrent) Try "sha1sum" next time, and on the correct file.

Re:

[petermgreen]

6709ff39ea47d3563b537b67153f60ee0c932a93 is the info hash of the torrent.

This is NOT a MD5 of the file it is a SHA1 hash of the info section of the torrent which contains the SHA1 hashes of the individual peices of the file and some other metainformation.

Re:beyond md5

[plague3106]

If you read the article, or even the summary, it was someone checking the MD5 that discovered the poisioning. So... I'd say it certainly helped.

Re:

[el americano]

With a Hollywood movie hacker, you mean. It is theoretically possible for this to be done, but researchers have not accomplished it yet. Just last month someone came close, but it required altering the original program to match the new MD5 collision value: Software Integrity Checksum Vulnerability [win.tue.nl]

But I'm sure it would be no problem for your über-hacker or for Chuck Norris.

Re:

[cloricus]

A friend of mine was working with md5 sums for a uni research project which led to many geeky get togethers in the refec with lots of other nerds just mulling over the limitations of md5 sums and how to take advantage of them in this project. Having a think about it if you were to use the limitations for bad ends it should be rather easy. For example you can easily change the contents of source code (assuming it's in a tar with the tars md5 sum) to what you want and just pad it out with extra rubbish cont

Re:

[el americano]

and just pad it out with extra rubbish content until you hit the same md5sum again.

You seem to be a little unclear on the concept. Were those DnD nerds or computer nerds? All hashes repeat, but the time required to calculate by brute force a fraction of the 2^128 different padded files until you might hit the one you want is designed to be years with the current technology and what we are expected to have in 10 years. MD5 is broken because there are shortcuts to make this calculation easier. However, the po

Re:

[cloricus]

I don't know any DnD nerds and luckily no one as condescending as you.

The project we were talking about was doing the opposite to what I suggested. To do what we wanted would take a large cluster only days to complete so I assumed that in the other direction would be similar (not the same, similar, since you are in to semantics), I really should have thought about it further and realised it was a power. Lucky I don't have to work with you or help you on a project, one minor mistake and it's out in the

Re:

[OrangeTide]

It tells you which files were altered since the previous version. a curious developer can then audit the new files. It is still a manual process, and really it wouldn't be any different than just doing a diff. except you might not want to keep the source code around for old versions to diff.

Re:beyond md5

[DarkHelmet433]

Yes. The article is vague, and the title on /. is worse - implies the source repository. It seems people have been easily mislead as a result. Always read the actual article, not a 2nd or 3rd hand summary.

From there:

"The code modifications did not made it into our source control, just the final package. We are currently investigating older packages to see if they were also compromised. "

Ouch. Is RoundCube stable yet?

[gambolt]

Anyone been using it for a while without any problems?

I've not evaluated it recently. Horde is a PITA to set up and this doesn't give me confidence in the SM team.

Re:Ouch. Is RoundCube stable yet?

[pembo13]

I love it, it it very nice on eyes as compared to SquirelMail. I do not use if regularly, but I trust it for whenever it is needed.

Re:

[mlwmohawk]

Anyone been using it for a while without any problems?

I use it on my site and install it for customers. You won't build a "hotmail" with it, and a rich user client like Thunderbird is almost always a better choice for users, but for those who need web access to their email, it is absolutely great.

Re:

[Nimey]

How's it work with PDAs? Squirrelmail sucks balls on a PDA-sized screen.

Re:

[coryking]

How about any open source imap client for that matter?

There used to be some IMAP to WAP client based on PHP, but it had all kinds of crazy problems like you had to hardcode your login to the config file. It also was read only - you couldn't send mail from the phone.

Is there anything new on the market for mobile users?

Re:

[mashade]

Check out the Claros InTouch suite @ http://claros.org/ [claros.org]

Their stuff runs on Java with Tomcat, but is reasonably good. The mobile client is decent (Claros Mini). If you dig Tomcat, that is ;)

Re:

[pongo000]

and this doesn't give me confidence in the SM team

Then you should probably stay away from Debian [linuxinsider.com], Sendmail [cert.org], Apache [apacheweek.com], or...well, hell, just stay away from Open Source, period, if a server/distro compromise is the measuring stick you use to measure "confidence."

Re:Ouch. Is RoundCube stable yet?

[coryking]

Why is this modded as a troll?

Roundcube has great potential, but it isn't nearly as mature as SM. It does seem to be getting better though. The big problem I have with Roundcube is it doesn't have plugins. No plugins = no Sieve filters (avelsieve), which is a big deal to me. No plugins = no other cool things that Squirrelmail has like importing and exporting address books from all kinds of crazy places, no admin plugins, etc...

Someday though. It has always looked and functioned way nicer than squirrelmail, it just needs more backend sysadmin goodness.

Re:

[RemyBR]

I'm using it for some weeks now... small user base though, about 25 people. Runs fine after I did some small fixes on the identity management and auto user creation features, which had minor bugs on the release I got. But overal it's a great piece of software.

Re:

[tux0r]

I thought of RoundCube the instant I saw this article.

I've just installed Round Cube 0.1-RC2 on my webserver to get reliable access to my non-work email. Apart from the dubious 0.1 version number (way to instil confidence in the end users: call an otherwise stable first release 1.0!) it is significantly more reliable than beta1 and even more crisply polished than before.

SquirrelMail and Horde are mature, yes, but they seem to bloat. I just want a lightweight, well-designed web access system so I don't have

Bad design

[Anonymous Coward]

Whoever decided that sending mail by using squirrels as couriers through these series of tubes is just damn wrong. Even worse, who are these sick bastards poisoning squirrels?

Re:Bad design

[Technomonics]

STP (Squirrel transport Protocol) suffers from the same inherent problems as IPOAC(IP over Avian Carrier) in that they are both very vulnerable to a a CITM (Cat In The Middle) attack. If however you were to implement STP over RHB (Roving Hamster Ball), the packet may still be intact yet there may occur an indeterminate amount of delay.

FWIW

Re:

[VGPowerlord]

Fortunately, its replacement Squirrels (Multiple) Transport Protocol (SMTP) is more reliable.

Re:

[Midnight Thunder]

Whoever decided that sending mail by using squirrels as couriers through these series of tubes is just damn wrong. Even worse, who are these sick bastards poisoning squirrels?

The problem first started when they missed the fact that tubes were designed with mice and hamsters in mind.

Re:

[_Sprocket_]

Even worse, who are these sick bastards poisoning squirrels?

Probably the Iranians. They're already on to the West's previous attempts [msn.com] in the region. It is only natural they'd move to "cyber warfare." It's the newest thing in espionage circles. All the trendy countries are doing it. Iran isn't going to be left out.

Re:

[piojo]

Even worse, who are these sick bastards poisoning squirrels?

I think one of them may have been Tom Lehrer.

Thank Heaven For Open Source

[mpapet]

If this were to happen to a proprietary application you wouldn't get an honest answer from the vendor. The bigger the vendor the worse the response.

Re:Thank Heaven For Open Source

[DigitAl56K]

Really? How many vendors of proprietary applications have their source repositories sitting on the Internet with a visible public interface and developers who may never have even met each other logging in from all over the world?

I also like how you blanket-troll all vendors of proprietary applications as if none posses basic ethics.

Re:

[mpapet]

How many vendors of proprietary applications have their source repositories sitting on the Internet with a visible public interface and developers who may never have even met each other logging in from all over the world?

What's wrong with anything you just described? These are all good traits. It maximizes cooperation toward a common goal. It's terribly misleading to ignore the fact that the public access is read-only.

I also like how you blanket-troll all vendors of proprietary applications as if none po

Re:Thank Heaven For Open Source

[99BottlesOfBeerInMyF]

Really? How many vendors of proprietary applications have their source repositories sitting on the Internet with a visible public interface and developers who may never have even met each other logging in from all over the world?

Considering the trend for outsourcing, probably more than you'd think. A lot more yet simply ship the code off to India or Latvia or somewhere, get it back, perform no real reviews of the code, and ship it out.

I also like how you blanket-troll all vendors of proprietary applications as if none posses basic ethics.

He does paint with a bit of a broad brush; but he also has a point. Commercial, closed source vendors are running a business and their primary motivation is money. Sadly, that often means hiding security breaches from users, even when that places those users at risk. OSS projects may have commercial motivations as well, but because of the process they cannot easily hide this type of problem... which is good for users.

Re:

[Intron]

How many vendors of proprietary applications have their source repositories sitting on the Internet with a visible public interface and developers who may never have even met each other logging in from all over the world?

Nobody knows.

Re:

[m2943]

Really? How many vendors of proprietary applications have their source repositories sitting on the Internet with a visible public interface and developers who may never have even met each other logging in from all over the world?

What does that have to do with anything? The repository was compromised because one of the developer's accounts was compromised. This also happens in companies.

In addition, I suspect that corporate developers are more likely than FOSS developers to put in backdoors themselves--bec

Has the compromised account been secured?

[Ambiguous Puzuma]

If the vulnerability was introduced through a compromised account, is there any assurance that that account is no longer compromised? I see no mention of that.

They got lucky

[sqlrob]

MD5 was on the same server. What prevented the attacker from changing that as well?

Re:

[tokul]

MD5 was on the same server.

Nope. They are on different server.

Re:They got lucky

[broken_chaos]

I don't think they are. MD5 is on the main SquirrelMail site, package is hosted on SourceForge.

Re:

[wattrlz]

AFAIK the gpg one would be hard because it requires a private key that wouldn't be readily available, but you're right. No system is perfectly secure. This was probably a good example of security through obscurity, or at least, lazy attacker-ity.

Re:

[sqlrob]

Or even better, the key is never on a networked computer, ever. That is a lot harder to breach, since it would require a physical compromise as well as a network. Things need to be layered as much as possible.

At first, I saw "Squirrel...

[davidsyes]

Male Suppository Poisoned."....

Re:

[rts008]

LOL!! I thought I saw something similar at first also, but your version was better than mine!

I'm NOT going to try to give any squirrel (male or female) a suppository!! It seems like it would have similar results to sticking your hands in a running garbage disposal in your sink.

There's bound to be a better way to poison your male squirrels than suppositories!

three versions compromised

[Anonymous Coward]

1.4.11, 1.4.12 and 1.5.1. Same attack bassed on CGI 1.1 specification implemented by PHP.

Was Tom Lehrer behind this?

[wramsdel]

He has a proclivity for poisoning pigeons...maybe he's branched out to squirrels.

Re:

[Stanistani]

Actually in the song, he mentions squirrels as well.

He's thorough. _

Makes me wonder

[tuomoks]

Good catch but it makes me wonder how the SC/CM is managed today? Open or closed source is vulnerable for developer access. I can understand that open source projects don't always have resources to run full SC/CM systems but I don't see full control even in some closed source environments I know. It is not difficult but needs some planning and computer resources, not human resources! Almost only places I have seen that kind of system controls are some insurance, banking (less often) and governments (often a mess). It is not just security, mistakes happen, and on long run it always pays back, try to tell that to management(heh!) Maybe I'm biased but after a couple of mishaps a long time ago we implemented a SC/CM system to protect against unverified and/or untested systems going to production and several other companies started using similar methods after us. It really can be automated with some planning. First everybody hates it and 6 months later they love the benefits, as I said, everybody makes mistakes and one command recovery is very nice when that happens before anything goes wrong.

Re:

[tuomoks]

Source Control / Configuration Management. In a perfect ( an utopia! ) system no code is ever added to anything going to production but to test systems. All code changes are tracked, traceable and documented against set of rules. All changes are are authorized, not by developer but for example lead or architect. Once accepted code changes are locked, can not be modified or deleted. Much what is done for example in Linux Kernel except usually in closed source systems you can (mostly, excluding some for any r

Re:

[mr_mischief]

Source Code/Change Management. It's a generic term like Version Control System. Basically, at the level of discussion, the poster didn't want to be tied to the specifics of RCS, CVS, SCCS, Subversion, Git, Perforce, or some other package.

That's one of the great things about SourceForge, though. CVS and Subversion are part of the repository they provide to projects hosted there, so your developers only have to be users and not worry about administration of a version control system. They also provide a bug tr

Re:Makes me wonder, oops

[tuomoks]

You are of course right, it is Change NOT Configuration management in this case. My bad.

Re:

[mr_mischief]

That's aninteresting distinction which may or may not need to be made.

I've seen "Change Management" and "Configuration Management" used interchangeably as "CM" in "SC/CM" quite a bit. I think it makes sense, because versioning of config files in some environments can be as useful as versioning of source code. /source code|configuration) management/ vs. /source code change management/

I support the interchangeable use based on the grounds that depending on your perspective there's not much difference and that

Don't trust squirrels!

[Jester998]

I, for one, refuse to trust my mail to any creature that can be this devious. [maniacworld.com]

Re:

[GWBasic]

I, for one, refuse to trust my mail to any creature that can be this devious.

That obstacle course looks like it could be a level in Super Mario Galaxy. Instead of Mario grabbing the star, the squirrel grabs the nut!

O.U.C.H.

[dkf]

Poisoned distributions? Nasty indeed. Anyone got any idea how it happened? I'd imagine that targeting a specific developer just when he's doing a release, and being able to make a change to that release that causes a hole to be opened up, is quite challenging. Doing it twice is very nasty indeed; someone worked hard at this.

Actually, I think I know one way of doing this that doesn't require the distribution builder's machine to be compromised and which also means that matching even simple signatures like an

Weeee...

[ender_01]

For anyone that doesn't get the 'andweeeeeee' tag may I refer you to http://www.threebrain.com/weeeeee.shtml/ [threebrain.com].

Open vs. Closed Source Security Implications

[tfskelly]

I recently wrote a paper arguing that open source is more secure than closed source because finding and fixing flaws is easier in open source. I'm not sure if this incident supports or refutes that argument. In one post at SquirrelMail's blog, they say that 1.412 is compromised. In the next post, they say that 1.411(released Sept 29) and 1.412(released Dec 5) are compromised. If the time between the first compromised release and the fix is 9 days, nice job. If the time between first compromised release and the fix is 2.5 months, I'm not too impressed. Regardless, it looks like the time between discovery of the flaw and patch is only 1 day, which is pretty outstanding. Why did it take so long to find a MD5 error when the MD5 hashs and downloads are posted right next to each other for several months? Did no one check them for that long? Is this the developer's responsibility, or the responsibility of the implementing community? What measures can be taken to prevent this kind of oversight from happening again? I'm not so worried about the compromise itself - projects will get hacked. But there are safeguards to prevent this exact hack from being too effective, and those safeguards didn't work. Why not?

Re:

[D'Arque Bishop]

The issue is that you're working from a bit of a flawed premise. :-)

1.4.11 and 1.4.12 were released uncompromised. In very late November, someone hacked a developer's SourceForge account and uploaded compromised versions of 1.4.11, 1.4.12, and 1.5.1. As soon as the problem was found in the stable branch, an announcement was made and the original 1.4.x versions restored. As soon as someone came onto Freenode #squirrelmail and explained the EXACT security implications of the poisoned releases, 1.4.11 and 1

1.5.1 was compromised as well...

[D'Arque Bishop]

One thing that wasn't covered in the story...

Yesterday morning it was discovered that the 1.5.1 (development) release had been compromised as well. It hadn't been discovered until then as the hacker had modified a different file in a slightly different way. If you're running a version of 1.5.1 that had been downloaded after sometime in late November, then it would be a good idea to remove it or replace it with a SVN release (which was not compromised).

There's no official announcement yet, but 1.5.1 has been pulled from distribution and an official announcement will probably be forthcoming.

Hope this helps...

Re:

[wikinerd]

the hacker

Me thinks that was a probably a cracker, not a hacker.

Cracker: Malicious, illegal, wants to do damage (usually for their benefit)

Hacker: Just wants to help fix security holes in unorthodox way, play as well, and do no damage.

Seems cruel

[Intron]

Surely there's a better way to keep them off the bird feeder than poisoning them. And why just the males?

"andweeee. . ." Tag

[aquatone282]

Slashdot tags are now officially funnier than the posts themselves.

lol good or bad?

[hurfy]

hehe, i checked out of curiousity since none of us really use the web access.

Our cheesy email provider is on 1.4.9a.
Horde is the other choice and a newer version than when i last tried to use the web interface, looks confusing for any of our users now.

How would one set up their own email server with something like this? Would i want to since this only cost $150/year? Just use outlook that will come with the small biusiness server next year?

Alternative webmail?

[Tweekster]

Seriously, the state of webmail is pretty sad. Is there any promising projects for a MODERN webmail system out there? (Not a full collab package, or a heavy HEAVY ajax system)

OSS or closed source, it doesnt matter to me, just anything that is good. Squirrelmail is what I use right now, and well its ugly and it doesnt seem like they ever plan on making it look like a modern webmail client should.

Re:

[Just Some Guy]

Drop webmail altogether and use something like mutt.

How well does that work for ya when you're visiting family for the holidays and want to use their Wii to check your email?

I use native clients 99.9% of the time, but still have a webmail interface on my home server for the other .1% when I don't have the option of installing software on a borrowed machine (or simply don't want to).

Re:

[Tweekster]

This is for clients of mine. Mutt will not exactly be acceptable for them to use

It's always some

[tkid]

developer that somehow allows some crackers into the system or network.. no pun intended. My present employer now, we had a developers machine get compromised, it was sweet walking over to his machine and unplugging his network cable while he was working, along with the phrase, "we'll let you know when you can plug it back in after we wipe your machine."

Isn't there a simple way to check for this?

[Phishcast]

Wouldn't it be pretty simple for whoever compiled the release to have a known good MD5 and periodically check that what people are downloading is good? A script that runs daily from somewhere else (even on your home PC) like this maybe:

Download package
Check for matching hash
If hash doesn't match, send notification email/SMS/whatever

Even if the site is compromised and the hacker (cracker!) changes the .md5 file you'd still find out pretty quick if something was amiss. Someone commented that this has been a

Re:

[cyphercell]

he's trolling to fill his city with slashtards, link to his city from myspace i tell you.

Re:

[Bastard of Subhumani]

No, and it's not a productivity tool either - quite the opposite.

In summary: whooooosh!

Re:

[koh]

They know the tune...

If it ain't broke, don't fix it.

Re:

[johnw]

Or maybe your servers run Debian Etch (which would give you precisely Squirrelmail 1.4.9a) and so only gets security fixes and not functional updates.

Re:Good thing UWRF techies are lazy

[D'Arque Bishop]

Actually, when 1.4.11 and 1.4.12 were released, they were uncompromised. Sometime after one of the developers' accounts was hacked, and the compromised versions were uploaded.

So, if someone (like your techies) had installed 1.4.12 within a few days of its release, chances are they would have gotten an uncompromised version. I had installed 1.4.12 a couple of hours after release, and after the compromise was found I checked and found mine was an authentic release.

Re:

[ledow]

Are you talking about the rather pathetic and obvious attempt to insert a patch into the kernel with uid=0 rather than uid==0 (assignment, rather than comparison)? I don't think that ever got past the "doh? how stupid do you think we are?" stage and I can't even remember if it was the kernel or something like just a patch for a module posted to the LKML or something.

Re:

[statemachine]

Coincidence. Some addresses are easily guessed, and others are taken from websites and mailing lists.

Also, about the only thing that can't be faked with the header you posted is the IP address that connected to your server (of which you didn't include). Check your server logs.

This has nothing to do with SquirrelMail. Though they may have other problems, this one is only SM doing its job and showing what your MTA has accepted.

Re:

[jcam2]

I like the look of Usermin for Webmail ( http://www.webmin.com/uwebmail.html [webmin.com] ), but I may be biased because I created it ..

Citadel?

[flyingfsck]

Citadel, with the Blue Citadel theme, isn't bad.