|
|
Log in / Subscribe / Register

Backdoor in e107 CMS version 0.7.17

Backdoor in e107 CMS version 0.7.17

Posted Jan 26, 2010 14:22 UTC (Tue) by cdman (guest, #63220)
In reply to: Backdoor in e107 CMS version 0.7.17 by busterb
Parent article: Backdoor in e107 CMS version 0.7.17

It seems to be fixed now and they also have a notification on their front page about a security update (although they could have used a bigger font :-)). Also, I couldn't find the given piece of code in their CVS repo, which probably means that only their website got hacked, not a dev...

to post comments

Backdoor in e107 CMS version 0.7.17

Posted Jan 26, 2010 14:31 UTC (Tue) by johill (subscriber, #25196) [Link] (3 responses)

Are you sure? The security update on their page seems to say that 0.7.17 is the solution, while this article says it is the problem.

Backdoor in e107 CMS version 0.7.17

Posted Jan 27, 2010 6:43 UTC (Wed) by njs (subscriber, #40338) [Link] (2 responses)

There's speculation on full-disclosure (click "Thread" above) that that security announcement about 0.7.17 is to fix a *different* hole... and that this other hole was used to compromise e107.org and insert this backdoor into the 0.7.17 "critical security fix, upgrade now if not sooner" release.

Backdoor in e107 CMS version 0.7.17

Posted Jan 28, 2010 10:34 UTC (Thu) by epa (subscriber, #39769) [Link] (1 responses)

Would using a hashing VCS such as Git have prevented this? If we all became accustomed to instructions such as 'please upgrade to a4732abc41412' rather than 'please download foo-1.2.3.tar.gz', would it become more difficult to insert such backdoors?

Backdoor in e107 CMS version 0.7.17

Posted Jan 28, 2010 19:26 UTC (Thu) by njs (subscriber, #40338) [Link]

In principle it could help, but mostly by making it easier to recover after the repository was compromised (which doesn't seem to have happened here in any case). Presumably they would just change the website to say "please upgrade to 1412a4732abc8" or whatever and no-one would notice that either. Signatures could help in principle, but key management and achieving trust is it's own barrel of worms, and these sorts of attacks are surprisingly rare; I'm not sure how much effort it's worth expending to defend against them.

If you *really* want to compromise the users of some project, it's pretty straightforward -- just come up with a plausible pseudonym, and send some legitimate patches that "accidentally" introduce an old-fashioned security bug. All the crypto in the world won't help with that. There are plenty of people you'd expect to be expending real resources on this, too -- militaries, criminals, heck, security researchers (who build their reputation and consulting business through finding bugs). The only reason I can think of that we haven't caught anyone at it yet is that earnest engineers produce enough security holes that people who depend on security holes mostly don't find it worth the bother trying to add more.


Copyright © 2026, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds