Linux-Noob Forums

Full Version: Hackers Hit Apache.org, Compromise Passwords
You're currently viewing a stripped down version of our content. View the full version with proper formatting.

The Apache Software Foundation reports that it was hit earlier in April by a sophisticated attack that compromised user passwords.

 

Hackers launched a multistage, targeted attack against the Apache Software Foundation's infrastructure April 5 that compromised user passwords.

 

According to the foundation, the hackers took advantage of an XSS (cross-site scripting) vulnerability using a shortened URL to target the server hosting issue-tracking software for the open-source group's projects. The foundation uses a donated instance of Atlassian JIRA to track issues and requests, and hosted the instance on brutus.apache.org, running Ubuntu Linux 8.04 LTS.

 

"If you are a user of the Apache-hosted JIRA, Bugzilla or Confluence, a hashed copy of your password has been compromised," the foundation said in an April 13 statement on the Apache Infrastructure Team blog. "JIRA and Confluence both use a SHA-512 hash, but without a random salt. We believe the risk to simple passwords based on dictionary words is quite high, and most users should rotate their passwords."

 

The statement continued, "Bugzilla uses [an] SHA-256, including a random salt. The risk for most users is low to moderate, since prebuilt password dictionaries are not effective, but we recommend [that] users should still remove these passwords from use.

 

more > http://www.eweek.com/c/a/Security/Hacker...ds-896918/


Peculiarly, it seems IE8 helped with compromising!

 

http://www.theregister.co.uk/2010/04/20/...e_xss_fix/