Backdoor in e107 CMS version 0.7.17

Posted Jan 27, 2010 6:43 UTC (Wed) by njs (subscriber, #40338)
In reply to: Backdoor in e107 CMS version 0.7.17 by johill
Parent article: Backdoor in e107 CMS version 0.7.17

There's speculation on full-disclosure (click "Thread" above) that that security announcement about 0.7.17 is to fix a *different* hole... and that this other hole was used to compromise e107.org and insert this backdoor into the 0.7.17 "critical security fix, upgrade now if not sooner" release.

to post comments

Backdoor in e107 CMS version 0.7.17

Posted Jan 28, 2010 10:34 UTC (Thu) by epa (subscriber, #39769) [Link] (1 responses)

Would using a hashing VCS such as Git have prevented this? If we all became accustomed to instructions such as 'please upgrade to a4732abc41412' rather than 'please download foo-1.2.3.tar.gz', would it become more difficult to insert such backdoors?

Backdoor in e107 CMS version 0.7.17

Posted Jan 28, 2010 19:26 UTC (Thu) by njs (subscriber, #40338) [Link]

In principle it could help, but mostly by making it easier to recover after the repository was compromised (which doesn't seem to have happened here in any case). Presumably they would just change the website to say "please upgrade to 1412a4732abc8" or whatever and no-one would notice that either. Signatures could help in principle, but key management and achieving trust is it's own barrel of worms, and these sorts of attacks are surprisingly rare; I'm not sure how much effort it's worth expending to defend against them.

If you *really* want to compromise the users of some project, it's pretty straightforward -- just come up with a plausible pseudonym, and send some legitimate patches that "accidentally" introduce an old-fashioned security bug. All the crypto in the world won't help with that. There are plenty of people you'd expect to be expending real resources on this, too -- militaries, criminals, heck, security researchers (who build their reputation and consulting business through finding bugs). The only reason I can think of that we haven't caught anyone at it yet is that earnest engineers produce enough security holes that people who depend on security holes mostly don't find it worth the bother trying to add more.