[ISN] Hackers Hit Apache.org, Compromise Passwords

From: InfoSec News <alerts_at_private>
Date: Wed, 14 Apr 2010 00:25:59 -0500 (CDT)
http://www.eweek.com/c/a/Security/Hackers-Hit-Apacheorg-Compromise-Passwords-896918/

By Brian Prince
eWeek.com
2010-04-13

The Apache Software Foundation reports that it was hit earlier in April 
by a sophisticated attack that compromised user passwords.

Hackers launched a multistage, targeted attack against the Apache 
Software Foundation's infrastructure April 5 that compromised user 
passwords.

According to the foundation, the hackers took advantage of an XSS 
(cross-site scripting) vulnerability using a shortened URL to target the 
server hosting issue-tracking software for the open-source group's 
projects. The foundation uses a donated instance of Atlassian JIRA to 
track issues and requests, and hosted the instance on brutus.apache.org, 
running Ubuntu Linux 8.04 LTS.

"If you are a user of the Apache-hosted JIRA, Bugzilla or Confluence, a 
hashed copy of your password has been compromised," the foundation said 
in an April 13 statement on the Apache Infrastructure Team blog. "JIRA 
and Confluence both use a SHA-512 hash, but without a random salt. We 
believe the risk to simple passwords based on dictionary words is quite 
high, and most users should rotate their passwords."

[...]


___________________________________________________________
Register now for HITBSecConf2010 - Dubai, the premier 
deep-knowledge network security event in the GCC, 
featuring keynote speakers John Viega and Matt Watchinski! 
http://conference.hitb.org/hitbsecconf2010dxb/
Received on Tue Apr 13 2010 - 22:25:59 PDT

This archive was generated by hypermail 2.2.0 : Tue Apr 13 2010 - 22:35:30 PDT