Horde Webmail Disabled

Hello,

We are investigating a potentially previously unknown and undocumented security issue in Horde Webmail. During this investigation, the program will not be available for use on all of our shared and reseller servers. There is no estimated completion time for this investigation at the moment, but we will keep you informed in this thread. Please use the other webmail programs, squirrel mail and round cube are still available.

Thank you for your understanding,

Mary Wior
HostGator Network Security

[Heimdol]

Thanks for posting on this was curious what was up. Better to bring it down and fix it then leave the security hole there during the fixing process.

[ryzeeg]

Try http://yourdomain.com:2095/roundcube/index.php to get to the login for Round Cube. Make sure to put your domain name in of course into the before link.

[jammer]

Is there any word on whether horde will be reinstated? If not, how do we recover sent emails, address book, etc?

[GatorBrent]

There is no eta at this time.


Any cpanel server in the world running horde can currently be rooted with a local account. I'm sure you all would rather use another mail program then have site 0wned.

We'll let you know more information as we get it, but until then horde will remain disabled.

[jammer]

Completely agree, but if it remains disabled can we recover the sent emails and address book content?

[newview]

Quote:

Originally Posted by GatorBrent

I'm sure you all would rather use another mail program then have site 0wned.

Thanks for taking proactive measures to protect my sites . . . I appreciate it.

[GatorBrent]

I really don't see it being disabled more then a few days. Once we have a better idea of how were going to handle this exploit beyond disabling horde we'll figure out a way for everyone to import address book / messages.

[jammer]

Thank you very much and thanks for being proactive, to echo the previous post.

I learned about this from my panic clients an hour ago who happened to be 'can't live without Horde' people. While it's good that you guys posted the message here, I couldn't help but think such is a very critical issue, it would be very nice for you to send out a notification to all hosting accounts, so that we can inform our clients, instead for them to call us in panic.

[windwebguy]

I agree with Sutra. While I very much appreciate Hostgator taking steps to fix this, it would be nice if I could be the one to inform my clients rather than the other way around. Even a few hours notice would be better than no notice.

[Chaz]

All hostgators colleagues (clients and workers),
First at all, I congratulate all hostgator support team to avoid all security holes, vulnerabilities and collaborate with a full sites uptime. A+!
I'm from Argentina (sorry my elementary english! jeje) and here was a little fever with the horde! Anyone in my work use it every day because is easy and everybody be accustomed with it. Today, with this service suspension, we start feeling sick... jajajajaja
I don't know the version servers use, but I ask a question to support team:
Can test last stable or beta version on a testing server?... (please don't test in the server i am! jojojo) For ex, 2008-01-22 release a beta 4.2RC2...
Or the problem is in the Horde framework?

I know only a little about servers but If any of support maintain inform about fixing advances I appreciate.

Thanks to all!

Diego.
(I repeat, my write sucks... and speaking too!)

[GatorDaveC]

Quote:

Originally Posted by jammer

Completely agree, but if it remains disabled can we recover the sent emails and address book content?

The horde database which contains your address books is still intact. As soon as we make a proof of concept for this security hole we can then either make a patch or see if a newer version of Horde has the hole. The default CPanel installation uses version 2.74, and 3.x is already marked as stable on the Horde website.

We'll have to do some testing, give us about a week or so to figure out what we are going to do with Horde.

[gtgeorge]

Quote:

Originally Posted by GatorDaveC

The horde database which contains your address books is still intact. As soon as we make a proof of concept for this security hole we can then either make a patch or see if a newer version of Horde has the hole. The default CPanel installation uses version 2.74, and 3.x is already marked as stable on the Horde website.

We'll have to do some testing, give us about a week or so to figure out what we are going to do with Horde.

For those on dedicated servers I have two questions:

1: What steps should we take if we want to disable access to Horde and prevent the exploit?

2: Will we receive instructions to implement the same "fix" when HG has it sorted?

[slapshotw]

Quote:

Originally Posted by gtgeorge

1: What steps should we take if we want to disable access to Horde and prevent the exploit?

You can disable horde in tweak settings-->uncheck horde. I'm not sure if this will delete any saved address books though.

[gtgeorge]

Would that prevent the eploit though? Or does something else need to be done? Gators????

[TheWebsiteTailor]

Quote:

Originally Posted by sutra

...it would be very nice for you to send out a notification to all hosting accounts, so that we can inform our clients, instead for them to call us in panic.

I 100% agree!

[skeetr]

Quote:

Originally Posted by sutra

...it would be very nice for you to send out a notification to all hosting accounts, so that we can inform our clients, instead for them to call us in panic.

I am not so sure that this would have been very effective. They posted it on the forums which is the fastest way for them to get the word out to everyone. It sorta seems like an emergency so I am glad that they disabled it, posted in the forums and then went about trying to figure out how to deal with and fix the problem.

Having to send an email to what 700,000 customers to let them know that they are going to be disabling a program that is susceptible to hackers and then disabling it....sounds like the wrong approach. They did what they did because they were concerned about their customers security. They didnt do this so that they were more secure (I highly doubt HG uses Horde for their email). They did this because there was a security risk and their CUSTOMERS (you) could be adversely affected.

As a reseller, I understand the whole thing about having to hear things from your customer, but sometimes thats the way things go.

On a dedicated server, you would have been notified (via forums) and then it would have been up to you to schedule when Horde went offline, but since you are in a shared environment, HG has to look after us all and unfortunately, they cant afford to take the time to notify everyone ahead of time.

[bdtprez]

Could someone please just put up a simple "horde has been disabled due to a security vulnerability" html page so I dont have to notify every one of my customers individually?

Thanks!

[GatorDaveC]

I've added a text for you. I would rather just remove the Horde icon, but this works too.

[bdtprez]

Thank you so much, you guys are wonderful!

I prefer this to removing the icon as many people use Horde and they would just start calling saying "Where's Horde!" At least this way they know we are looking out for them.

Thanks again!

[Korrigan]

Is it possible any incoming mail was lost?

[slapshotw]

No, this will only affect the webmail client, not incoming mail.

[GatorPatrick]

A quick update. We have isolated the vulnerability and we are currently working on producing a secure patch. We still have no ETA however and we will update this thread with new information as it becomes available.

[GatorPatrick]

Another update, at this time we are able to successfully produce proof of a working exploit for this vulnerability. Based on this we will be able to develop a patch quickly. More updates to follow.