[horde] [SECURITY] Remote execution backdoor after server hack (CVE-2012-0209)
Jan Schneider
jan at horde.org
Mon Feb 13 14:27:50 UTC 2012
Dear Horde users,
a few days ago we became aware of a manipulated file on our FTP
server. Upon further investigation we discovered that the server has
been hacked earlier, and three releases have been manipulated to allow
unauthenticated remote PHP execution.
We have immediately taken down all distribution servers to further
analyze the extent of this incident, and we have worked closely with
various Linux distributions to coordinate our response.
Since then the FTP and PEAR servers have been replaced and further
secured. Clean versions of our releases have been uploaded.
This issue will be tracked as CVE-2012-0209:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0209
We have been able to limit the manipulation to three files downloaded
during a certain timeframe. The affected releases are:
- Horde 3.3.12 downloaded between November 15 and February 7
- Horde Groupware 1.2.10 downloaded between November 9 and February 7
- Horde Groupware Webmail Edition 1.2.10 downloaded between November 2
and February 7
No other releases have been affected. Specifically, no Horde 4
releases were compromised. Our CVS and Git repositories are not
affected either. Linux distributions that are affected will notify and
provide security releases individually.
If you are not sure whether you are affected or want to verify
manually whether you are affected, you can search for this signature
in your Horde directory tree:
$m[1]($m[2])
We recommend that all users of the affected version immediately
re-install using fresh copies downloaded from our FTP server, or to
upgrade to the more recent versions that have been released since
then. This is a list of suggested replacements and their MD5 checksums:
bc04ce4499af24a403429c81d0a8afcf
ftp://ftp.horde.org/pub/horde/horde-3.3.12.tar.gz
5a0486a5f6f96a9957e770ddabe71b38
ftp://ftp.horde.org/pub/horde/horde-3.3.13.tar.gz
4bdab16c84513bbd9466cb0dc7464661
ftp://ftp.horde.org/pub/horde-groupware/horde-groupware-1.2.10.tar.gz
fed921b55a8f544fba806333502cd45d
ftp://ftp.horde.org/pub/horde-groupware/horde-groupware-1.2.11.tar.gz
60e100c3e4ab59c01d30bf5eb813a182
ftp://ftp.horde.org/pub/horde-webmail/horde-webmail-1.2.10.tar.gz
6f735266449bfda2cce8b5067b16ff74
ftp://ftp.horde.org/pub/horde-webmail/horde-webmail-1.2.11.tar.gz
If you are running Horde 4, you don't need to do anything.
We apologize for the inconvenience and assure you that we are
undertaking a full security review of our procedures to prevent this
kind of incident from happening again.
If you have further questions, please ask on the Horde mailing list:
http://www.horde.org/community/mail
Jan.
--
The Horde Project
http://www.horde.org/
More information about the horde
mailing list