[horde] [SECURITY] Remote execution backdoor after server hack (CVE-2012-0209)

Jan Schneider jan at horde.org
Mon Feb 13 14:27:50 UTC 2012


Dear Horde users,

a few days ago we became aware of a manipulated file on our FTP  
server. Upon further investigation we discovered that the server has  
been hacked earlier, and three releases have been manipulated to allow  
unauthenticated remote PHP execution.
We have immediately taken down all distribution servers to further  
analyze the extent of this incident, and we have worked closely with  
various Linux distributions to coordinate our response.
Since then the FTP and PEAR servers have been replaced and further  
secured. Clean versions of our releases have been uploaded.

This issue will be tracked as CVE-2012-0209:  
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0209

We have been able to limit the manipulation to three files downloaded  
during a certain timeframe. The affected releases are:
- Horde 3.3.12 downloaded between November 15 and February 7
- Horde Groupware 1.2.10 downloaded between November 9 and February 7
- Horde Groupware Webmail Edition 1.2.10 downloaded between November 2  
and February 7

No other releases have been affected. Specifically, no Horde 4  
releases were compromised. Our CVS and Git repositories are not  
affected either. Linux distributions that are affected will notify and  
provide security releases individually.

If you are not sure whether you are affected or want to verify  
manually whether you are affected, you can search for this signature  
in your Horde directory tree:

$m[1]($m[2])

We recommend that all users of the affected version immediately  
re-install using fresh copies downloaded from our FTP server, or to  
upgrade to the more recent versions that have been released since  
then. This is a list of suggested replacements and their MD5 checksums:

bc04ce4499af24a403429c81d0a8afcf  
ftp://ftp.horde.org/pub/horde/horde-3.3.12.tar.gz
5a0486a5f6f96a9957e770ddabe71b38  
ftp://ftp.horde.org/pub/horde/horde-3.3.13.tar.gz
4bdab16c84513bbd9466cb0dc7464661  
ftp://ftp.horde.org/pub/horde-groupware/horde-groupware-1.2.10.tar.gz
fed921b55a8f544fba806333502cd45d  
ftp://ftp.horde.org/pub/horde-groupware/horde-groupware-1.2.11.tar.gz
60e100c3e4ab59c01d30bf5eb813a182  
ftp://ftp.horde.org/pub/horde-webmail/horde-webmail-1.2.10.tar.gz
6f735266449bfda2cce8b5067b16ff74  
ftp://ftp.horde.org/pub/horde-webmail/horde-webmail-1.2.11.tar.gz

If you are running Horde 4, you don't need to do anything.

We apologize for the inconvenience and assure you that we are  
undertaking a full security review of our procedures to prevent this  
kind of incident from happening again.

If you have further questions, please ask on the Horde mailing list:  
http://www.horde.org/community/mail

Jan.

-- 
The Horde Project
http://www.horde.org/



More information about the horde mailing list