http://www.eweek.com/c/a/Security/Hackers-Hit-Apacheorg-Compromise-Passwords-896918/ By Brian Prince eWeek.com 2010-04-13 The Apache Software Foundation reports that it was hit earlier in April by a sophisticated attack that compromised user passwords. Hackers launched a multistage, targeted attack against the Apache Software Foundation's infrastructure April 5 that compromised user passwords. According to the foundation, the hackers took advantage of an XSS (cross-site scripting) vulnerability using a shortened URL to target the server hosting issue-tracking software for the open-source group's projects. The foundation uses a donated instance of Atlassian JIRA to track issues and requests, and hosted the instance on brutus.apache.org, running Ubuntu Linux 8.04 LTS. "If you are a user of the Apache-hosted JIRA, Bugzilla or Confluence, a hashed copy of your password has been compromised," the foundation said in an April 13 statement on the Apache Infrastructure Team blog. "JIRA and Confluence both use a SHA-512 hash, but without a random salt. We believe the risk to simple passwords based on dictionary words is quite high, and most users should rotate their passwords." [...] ___________________________________________________________ Register now for HITBSecConf2010 - Dubai, the premier deep-knowledge network security event in the GCC, featuring keynote speakers John Viega and Matt Watchinski! http://conference.hitb.org/hitbsecconf2010dxb/Received on Tue Apr 13 2010 - 22:25:59 PDT
This archive was generated by hypermail 2.2.0 : Tue Apr 13 2010 - 22:35:30 PDT