Biz & IT —

Malicious backdoor in open-source messaging apps not spotted for 3 months

If you downloaded one of three messaging apps from the Horde Project's FTP …

For almost three months, versions of three widely distributed open-source applications from Horde.org contained a backdoor that allowed attackers to remotely execute malicious PHP code on systems that ran the programs.

Members of the Horde Project warned of the tampering earlier this week, in a bulletin that advised users of the collaboration and messaging applications to immediately reinstall newer versions that didn't contain the malicious code. Those affected included anyone who downloaded installation packages for Horde 3.3.12, Horde Groupware 1.2.10 or Horde Groupware Webmail Edition 1.2.10 between various dates in November and February 7. Horde 4 is not affected. A module that targets the vulnerability has already been added to the Metasploit framework for hackers and penetration testers.

According to the Eric Romang Blog, at least two Linux distributions, from Ubuntu and Debian, were delivering the tainted versions of Horde 3.3.12.

"The impact through Linux distribution should be not so important," Wednesday's post went on to say. "Only users who have download the source code from FTP are mainly affected."

Horde's advisory said the releases were altered after unidentified hackers breached an FTP server used to distribute the installation packages.

"We apologize for the inconvenience and assure you that we are undertaking a full security review of our procedures to prevent this kind of incident from happening again," members of the project wrote.

Horde's advisory is just the latest admission by a trusted developer of open-source software that its defenses were penetrated. In August, the archive site for the Linux kernel was compromised by hackers who gained root access to several servers and installed key-logging software. There was no evidence any of the repositories storing Linux source code was tampered with.

In 2010, GNU-Savannah, the main distribution site for the Free Software Foundation, was taken offline following discovery of a hack that compromised passwords. That same year, the Apache Software Foundation suffered an attack that captured the passwords of anyone who used the website's bug-tracking service over a three-day span. It was the second major compromise of Apache.org in eight months.

Listing image by Photograph by www.yronbay.com

Channel Ars Technica