2010-04-14, 06:53 PM
The Apache Software Foundation reports that it was hit earlier in April by a sophisticated attack that compromised user passwords.
Hackers launched a multistage, targeted attack against the Apache Software Foundation's infrastructure April 5 that compromised user passwords.
According to the foundation, the hackers took advantage of an XSS (cross-site scripting) vulnerability using a shortened URL to target the server hosting issue-tracking software for the open-source group's projects. The foundation uses a donated instance of Atlassian JIRA to track issues and requests, and hosted the instance on brutus.apache.org, running Ubuntu Linux 8.04 LTS.
"If you are a user of the Apache-hosted JIRA, Bugzilla or Confluence, a hashed copy of your password has been compromised," the foundation said in an April 13 statement on the Apache Infrastructure Team blog. "JIRA and Confluence both use a SHA-512 hash, but without a random salt. We believe the risk to simple passwords based on dictionary words is quite high, and most users should rotate their passwords."
The statement continued, "Bugzilla uses [an] SHA-256, including a random salt. The risk for most users is low to moderate, since prebuilt password dictionaries are not effective, but we recommend [that] users should still remove these passwords from use.
more > http://www.eweek.com/c/a/Security/Hacker...ds-896918/
