"SquirrelMail Repository Poisoned" (slashdot)
Dan Mahoney, System Admin
danm at prime.gushi.org
Wed Dec 19 19:46:35 UTC 2007
On Wed, 19 Dec 2007, Paul Vixie wrote:
Warning: my reply may be long but I might just have had too much coffee.
On the squirrelmail bit:
The squirrelmail bug would be noticed by anyone who had verified the
checksum.
For myself, I admittedly did *not* verify the SquirrelMail checksum (bad
me), but always deploy my webmail apps on a "beta" site for at least a
month before using.
I also do an insane amount of privilege separation with regard to PHP
scripts, such that a compromised webmail install would most likely only
lead to file corruption, users reading each others' address books, etc.
This is not the goal of the average script kiddie who will want to
download files, launch a shell, and run bots.
The bigger problem, I would assert, is that if your CVS/SVN/Perforce
repository is poisoned at some point, you could still be GPG-signing,
md5-summing your distfiles, without an awareness that there's something
wrong.
I.e. if the attackers could poison the .tar.gz that's on the same webspace
as the posted download, why wouldn't they just change *that* too. IMHO
they got stupid there, and that's what saved us.
On the BIND bit:
For me, I now build BIND from FreeBSD's ports, almost exclusively.
The ports system checks signatures against *INTERNAL* checksums (known to
the ports system, not posted elsewhere on the ISC site (thus bypassing
the if-you-can-upload-a-bogus-tarfile you-can-upload-a-matching-sum issue)
that are independently verified in the "proper" ways.
In general:
Oh writer-of-respected-drafts, perhaps the time has come for a defined
specification to be written for a standard distribution files and the
checksums
thereof.
For example, for any given tar.gz ($filename) being downloaded:
1) Check the same directory for $filename.md5, $filename.sha1,
$filename.gpg (and a possible extension -- allowing the specification of
an alternate url where the sign is maintained, either in the same
directory, or another site entirely.
2) If found, verify. If !verify, scream bloody murder.
Work could then be done with the builders of tools such as FreeBSD's
"fetch" (I'm on freebsd-questions and frequently submit PR's), Gnu WGET
(I'm on that list), curl, or even lynx and the like (which are, chances
are, the de-facto means of getting binaries to a system)
I'd love to draft such a draft myself, although I'm at present just a bit
busy (such is life?). But I'd love to hear comments otherwise. Yes, I'm
requesting them :)
-Dan
--
--------Dan Mahoney--------
Techie, Sysadmin, WebGeek
Gushi on efnet/undernet IRC
ICQ: 13735144 AIM: LarpGM
Site: http://www.gushi.org
---------------------------
More information about the bind-workers
mailing list