Hi! Sorry for keeping the "off-topic"... but I had to answer....
On Mon, Feb 1, 2010 at 4:35 PM, Stan Hoeppner <s...@hardwarefreak.com> wrote: > Kay put forth on 2/1/2010 11:49 AM: > >> In my job (hosting company) I see boxes exploited via roundcube all the >> time. Squirrelmail? Not one so far. Part of the reason is that >> squirrelmail comes with RHEL, so it's kept up to date automatically, >> while customers install their own roundcube and then don't maintain it. > Me too, not just on DCs, even home (DSL dynamic) IPs, these are bots scanning, and I have found A LOT of roundcube-targeted scans. I have found lots of access attempts on *all* of the servers I have access to: more than 10 of them, on different geographical locations. > I think you're making some incorrect assumptions. Squirrelmail has had a > pretty > abysmal security track record of its own over the years. One reason for that > is True: really old ones. > probably exactly what you're calling out Roundcube for here, which has nothing > to do with the software, but the administration of the system. That said, you > appear to think the world runs on Red Hat, and if Red Hat doesn't have a > Roundcube package, admins will install from source or an external RPM that > doesn't get updated by Red Hat's uptodate or whatever it's called. The world > doesn't run on Red Hat, and many admins _do_ keep their Roundcube (and other) > packages up to date. For instance, I do security updates on my Debian servers > once a week. My Roundcube package is currently up to date, and it is a > standard > Debian package: I use Debian too. >> That said, it's not the only webmail client (or any other web app) that >> gets the install&neglect treatment, it's just the one most frequently >> exploited. > > Do you have any empirical data showing that Roundcube is exploited more often > today than Squirrelmail? Claims like this really need to be backed up. Data > for only your data center doesn't count, the sample size is way too small. > This > is called "anecdotal" evidence, not empirical evidence. Ok, you want a "sample": 100% of the servers I have access to, have, at least once in the last year, been scanned by a bot (or person, who knows) for /roundcoube or similars, and none of them included scans for squirrelmail-related files. My sample size: around 20 servers on ~4 different geographical locations. One of the servers gets hits constantly by scans looking for files like roundcube/something and roundcube3/something (yes, 3, I don't know why, it should be 0.3), and roundcoube0.2/something.... and so on..... I have never ever used roundcube, because I studied a little about it, and found that it was still too young, I mean: it needs to grow as a project to get to a point where major security issues gets uncommon. The other case: my own PC, I have a "test" web server there, and it have been hit by these *scans* a lot.... and it has a dynamic IP... I recently decided to block the port 80 from outside, and only open it when I need it to be accessed from outside (it just gets annoying). Once again, sorry about off-topic, but this is an interesting discussion, Sincerely, Ildefonso Camargo
