Slightly off topic, but I just thought i'd share this link I just read about a backdoor exploit inserted into squirrelmail by a compromised developer account.
It emphasises the need for vigilance and guarding of the security of your developer accounts. e.g. Don't forget to include moodle in your list of places to notify if you have suffered a security incident!
And checksuming of release packages?
In reply to Dan Poltawski
Re: The Backdooring of Squirrelmail - Food for Thought
by Mauno Korpelainen -
Well this is also slightly off topic but Colin McLean-Campbell reported 27th of December to http://tracker.moodle.org/browse/MDL-12738 that "Spammers can enrol and use the description field in profile to carry their ads, linking to other sites. There is at present no one to prevent this from happening" - OK - we have all seen those spam messages in these forums and Helen has cleaned most of those messages from forums. And moodle allows you to lock that description field from Administration -> Users -> Authentication or change default authentication method...but today I was searching some information about a hacker called Godzilla and notized that he/she is one of those who have been sending those link messages ( for example http://www.ytc.ac.th/webboard/show.php?Category=&No=1951 contains some of those links ). Another quick search in google with moodle/user/view.php and it looks like this is becoming a real amusement for hackers. But is it just amusement - or could it be possible that if you are an admin of a site and click an innocent looking link to an adverticement some information is moved or tried to get moved from one server to another? Those mega turks hacking CMS systems (not moodle) with 3rd party components and backdoor scripts are well known but they seem to have a growing interest to study moodle too...or send spam...
In reply to Mauno Korpelainen
This forum post has been removed
The content of this forum post has been removed and can no longer be accessed.
In reply to Deleted user
Re: The Backdooring of Squirrelmail - Food for Thought
by Martín Langhoff -
> I've switched off e-mail based opening of new user accounts too, which is a shame.
Have you tried using the captcha patch that's around? I haven't used it or anything, but if it works, it can block or at least slow down the spammers quite a bit.
Have you tried using the captcha patch that's around? I haven't used it or anything, but if it works, it can block or at least slow down the spammers quite a bit.
In reply to Martín Langhoff
Re: The Backdooring of Squirrelmail - Food for Thought
by Mauno Korpelainen -
http://tracker.moodle.org/browse/MDL-7407 can give some solution but we may have two different problems. After 24th of December some sites have received maybe 1000 new users but another problem is that a huge amount of guestbooks and open forums have irrational links to address(es) like http://somesite/xxx/user/view.php?id=128&course=1 . It looks like some sites are attacked on purpose and if more and more spam messages are giving links to sites using moodle some ISP may soon close those sites if the traffic grows too much or content of user profiles gets too wild...
In reply to Dan Poltawski
Re: The Backdooring of Squirrelmail - Food for Thought
by Martín Langhoff -
It'd be a good idea if MD could produce an md5 of the zip/targz files of tagged releases and sign it with his key.
Completely impractical (and meaningless!) to do on the nightlies but if you are running nightlies, you know you like risk
Completely impractical (and meaningless!) to do on the nightlies but if you are running nightlies, you know you like risk
In reply to Martín Langhoff
Re: The Backdooring of Squirrelmail - Food for Thought
by Martin Dougiamas -
That's not going to help at all if some developer account has been used to insert backdoors into the code.
In reply to Martin Dougiamas
Re: The Backdooring of Squirrelmail - Food for Thought
by Martín Langhoff -
Hmmmm. I think the Squirrelmail issue got misreported, I should perhaps explain...
Apparently, all the core SQM developers had SSH access to the server where the downloadable files were kept. The attacker only changed the zip/tarballs, long after the release. This got noticed within a couple of days, because the project posts md5 hashes of the files, and they didn't match. The attacker had forgotten to change the listing of md5 hashes (which wasn't signed).
If the listing of md5 hashes had been signed, that would have made things a lot harder to fake. I think the squirrelmail team is now signing the md5 listing.
So this did not affect their SCM (which at the moment is SVN). The attacker could have tried to make a commit, and wait until the next release, but code committed to the SCM gets a lot more review. In our case, there are quite a few readers of our CVS mailing list, and many cases where commits get reviewed later (I do a lot of code review when I merge code, for example, and I know I'm not the only one).
So I think CVS is a hard route for an attacker - bogus code has to survive in the tree long enough to be part of a release. If you put it there early, there's more time to find it, try and slip it in close to the release and everybody's watching intently.
The gap we'd want to close is someone sneaking in to download.m.o -- that's where md5's of the files, signed with your signature (and a few others!) would make us much safer, with a relatively small effort.
In reply to Martín Langhoff
Re: The Backdooring of Squirrelmail - Food for Thought
by Martin Dougiamas -
OK, fair enough, I'm happy to sign release packages if it's really useful.
Does anyone here use tarballs AND actually CHECK MD5SUMS? I know I never do
Does anyone here use tarballs AND actually CHECK MD5SUMS? I know I never do
In reply to Martin Dougiamas
Re: The Backdooring of Squirrelmail - Food for Thought
by Nicolas Connault -
I use tarballs all the time, but I never check checksums
In reply to Martin Dougiamas
Re: The Backdooring of Squirrelmail - Food for Thought
by Dan Poltawski -
The thing is, even if only one person in the world checks them then i'd argue its still worth it! That one person who checks it can spot a problem and report it, and previously they'd have no way to check.
I rarely do for personal use because i'm lazy (I wonder if there is a firefox extension which would do it for me). Hopefully distro package maintainers and others in that sort of position would pay more attention to that sort of thing though.
I rarely do for personal use because i'm lazy (I wonder if there is a firefox extension which would do it for me). Hopefully distro package maintainers and others in that sort of position would pay more attention to that sort of thing though.
In reply to Martin Dougiamas
Re: The Backdooring of Squirrelmail - Food for Thought
by Martín Langhoff -
I'm usually lazy too (except for things that could brick hardware, like bios updates). As Dan says, as long as we have a few obsessive-compulsive users out there to raise the alarm...
And packagers do check the md5 hashes - often with automated scripts too.
Belt, suspenders, and double-layer asbestos underwear -- I feel safe but damn it's hard to walk.
And packagers do check the md5 hashes - often with automated scripts too.
Belt, suspenders, and double-layer asbestos underwear -- I feel safe but damn it's hard to walk.
In reply to Dan Poltawski
Re: The Backdooring of Squirrelmail - Food for Thought
by Mauno Korpelainen -
Talking about server email abuse attempts http://moodle.org/mod/forum/discuss.php?d=88114