Unknown perpetrators infiltrated a backdoor into several installation packages during an attack on groupware provider Horde's FTP server. Horde 3.3.12, Groupware 1.2.10 and the webmail edition of the groupware product are all affected. Horde 4 was not modified. The CVS and Git servers are also unaffected.

Users who have installed a hacked version onto a server have thrown their systems wide open to the hackers – the backdoor enables them to execute arbitrary PHP code. By exploiting additional vulnerabilities, attackers could use this to gain complete control of the server.

According to Horde, the intrusion occurred in early November last year, but was discovered just a few days ago. The developers have now removed the backdoor from the installation packages available from the FTP server.

Users who installed one of the affected products between November 2011 and 7 February this year should download a new copy of the file or upgrade to the recently released Horde 3.3.13 or Groupware 1.2.11. The new versions also fix other critical vulnerabilities. Some Linux distributions could also contain vulnerable packages, although the developers do not say which distributions may be affected.

See also:

Horde Groupware 4.0 released, a report from The H.

(ehe)