It emphasises the need for vigilance and guarding of the security of your developer accounts. e.g. Don't forget to include moodle in your list of places to notify if you have suffered a security incident!
And checksuming of release packages?
Re: The Backdooring of Squirrelmail - Food for Thought
Well this is also slightly off topic but Colin McLean-Campbell reported 27th of December to http://tracker.moodle.org/browse/MDL-12738 that "Spammers can enrol and use the description field in profile to carry their ads, linking to other sites. There is at present no one to prevent this from happening" - OK - we have all seen those spam messages in these forums and Helen has cleaned most of those messages from forums. And moodle allows you to lock that description field from Administration -> Users -> Authentication or change default authentication method...but today I was searching some information about a hacker called Godzilla and notized that he/she is one of those who have been sending those link messages ( for example http://www.ytc.ac.th/webboard/show.php?Category=&No=1951 contains some of those links ). Another quick search in google with moodle/user/view.php and it looks like this is becoming a real amusement for hackers. But is it just amusement - or could it be possible that if you are an admin of a site and click an innocent looking link to an adverticement some information is moved or tried to get moved from one server to another? Those mega turks hacking CMS systems (not moodle) with 3rd party components and backdoor scripts are well known but they seem to have a growing interest to study moodle too...or send spam...
This forum post has been removed
Re: The Backdooring of Squirrelmail - Food for Thought
Have you tried using the captcha patch that's around? I haven't used it or anything, but if it works, it can block or at least slow down the spammers quite a bit.
Re: The Backdooring of Squirrelmail - Food for Thought
Re: The Backdooring of Squirrelmail - Food for Thought
Completely impractical (and meaningless!) to do on the nightlies but if you are running nightlies, you know you like risk
Re: The Backdooring of Squirrelmail - Food for Thought
Re: The Backdooring of Squirrelmail - Food for Thought
Hmmmm. I think the Squirrelmail issue got misreported, I should perhaps explain...
Apparently, all the core SQM developers had SSH access to the server where the downloadable files were kept. The attacker only changed the zip/tarballs, long after the release. This got noticed within a couple of days, because the project posts md5 hashes of the files, and they didn't match. The attacker had forgotten to change the listing of md5 hashes (which wasn't signed).
If the listing of md5 hashes had been signed, that would have made things a lot harder to fake. I think the squirrelmail team is now signing the md5 listing.
So this did not affect their SCM (which at the moment is SVN). The attacker could have tried to make a commit, and wait until the next release, but code committed to the SCM gets a lot more review. In our case, there are quite a few readers of our CVS mailing list, and many cases where commits get reviewed later (I do a lot of code review when I merge code, for example, and I know I'm not the only one).
So I think CVS is a hard route for an attacker - bogus code has to survive in the tree long enough to be part of a release. If you put it there early, there's more time to find it, try and slip it in close to the release and everybody's watching intently.
The gap we'd want to close is someone sneaking in to download.m.o -- that's where md5's of the files, signed with your signature (and a few others!) would make us much safer, with a relatively small effort.
Re: The Backdooring of Squirrelmail - Food for Thought
Does anyone here use tarballs AND actually CHECK MD5SUMS? I know I never do
Re: The Backdooring of Squirrelmail - Food for Thought
Re: The Backdooring of Squirrelmail - Food for Thought
I rarely do for personal use because i'm lazy (I wonder if there is a firefox extension which would do it for me). Hopefully distro package maintainers and others in that sort of position would pay more attention to that sort of thing though.
Re: The Backdooring of Squirrelmail - Food for Thought
And packagers do check the md5 hashes - often with automated scripts too.
Belt, suspenders, and double-layer asbestos underwear -- I feel safe but damn it's hard to walk.
Re: The Backdooring of Squirrelmail - Food for Thought
Talking about server email abuse attempts http://moodle.org/mod/forum/discuss.php?d=88114