Slashdot Mirror

← Back to Stories (view on slashdot.org)

SpreadFirefox Security Breached (again)

Posted by CmdrTaco on from the hate-when-that-happens dept.

Kurt writes "The hugely popular SpreadFirefox project, a Firefox community marketing site, has recently fallen victim to a security breach in their TWiki software. This breach has forced the site to shutdown until October 19th. During this time, they will be performing a rebuild of the SpreadFirefox system, to hopefully curb more security breaches."

13 of 140 comments (clear)

  1. Wrong Date by rb2297 · · Score: 5, Informative

    It says the site is down until the 15th not the 19th...

  2. Re:Message by druske · · Score: 5, Informative
    The SpreadFirefox team sent this email out to registered users:

    The Spread Firefox Team became aware this week that the server hosting
    Spread Firefox, our community marketing site, has been accessed by
    unknown remote attackers who attempted to exploit a security
    vulnerability in TWiki software installed on the server. The TWiki
    software was disabled as soon as we were aware of the attempts to access
    SpreadFirefox.com. This exploit was limited to SpreadFirefox.com and
    did not affect mozilla.org web sites or Mozilla software.

    We have scanned Spread Firefox servers and at this time do not believe
    any sensitive data was taken, but as a precautionary measure we have
    shutdown the site and will be rebuilding the web site from scratch. We
    also recommend that you change your Spread Firefox password and the
    password of any accounts where you use the same password as your Spread
    Firefox account. We will notify you again when the site is back up with
    instructions on how to change your password. (Note: We do use MD5
    hashing on the passwords, but MD5 cannot protect all passwords against
    off-line dictionary style attacks.)

    After Spread Firefox was compromised in July, we instituted procedures
    to ensure that we apply all security fixes to the software running the
    site (Drupal and PHP) as soon as they become available. Unfortunately,
    those procedures overlooked the installation of the TWiki software since
    it is not used by the main Spread Firefox site. When the system is
    rebuilt, all the software will be audited to ensure that security
    updates will be applied in a timely manner. We deeply regret this
    incident and any inconvenience this may have caused you. Sincerely,

    Spread Firefox Team
    Mozilla Foundation
  3. Not Mozilla software that was hacked by elfguygmail.com · · Score: 3, Informative

    It's not Mozilla software that got hacked. If it's indeed the Wiki part, then it's the MediaWiki software, which is also open source but has nothing to do with Mozilla or Firefox. Either way, that web site is very user based where tons of tools were hosted for the community like public forums and freely editable wikis, so it's not surprising that some of them may have issues. Until the actual mozilla.org site gets hacked, which I highly doubt it will ever happen, there's nothing to worry about.

    1. Re:Not Mozilla software that was hacked by kccricket · · Score: 3, Informative
      It's not about the fact that it was a user community, rather than the actual Mozilla.org site that was compromised.

      Yeah, except that:
      This exploit was limited to SpreadFirefox.com and did not affect mozilla.org web sites or Mozilla software.
      --
      * chirp * chirp *
    2. Re:Not Mozilla software that was hacked by sprintstar · · Score: 5, Informative

      It wasn't MediaWiki , it was TWiki. They have (AFAIK) nothing to do with each other.

  4. Here comes the trolls! by LordKazan · · Score: 2, Informative

    While the "but open source is supposed to me more secure!" trolls will open their mouths about how this is evidence we're wrong - it's not.

    All software and therefore all websites contain vulnerabilities.
    The advantage of OSS is that these security holes are fixed promptly.

    Thanks to someone posting the origional email announcement we know that this breach was due to poor server administration in that they didn't keep their software patched up to the latest version. This vulnerability is probably fixed in the latest TWiki releases being that someone is out there exploiting it.

    --
    If you cannot keep politics out of your moderation remove yourself from the Mod Lottery.. NOW!
  5. We're done with TWiki by po8 · · Score: 5, Informative

    I also recently had my TWiki-based wiki farm broken into, for the 3rd time in 4 years, despite trying to stay up to date at least with Debian releases. Fortunately, I had each wiki set up to run suexec as an individual user, so the damage was reasonably well contained.

    Since TWiki's security problems seem intractable (giant Perl codebase that's very difficult to audit and doesn't seem to have been designed to handle security) I decided that enough is enough and followed freedesktop.org's lead in moving the whole farm to MoinMoin. MoinMoin is written in Python rather than Perl, and seems to be better thought out in terms of security, although I had to hack up the source some to get what I wanted. Some open source migration tools will be made available shortly.

    I wouldn't recommend to anyone that they run a publically-viewable TWiki installation at this point.

    1. Re:We're done with TWiki by Florian+Weimer · · Score: 2, Informative

      I also recently had my TWiki-based wiki farm broken into, for the 3rd time in 4 years, despite trying to stay up to date at least with Debian releases.

      TWiki is not part of any official Debian release. The current round of bugs was fixed for the twiki package in unstable in March 2005, in version 20040902-2.

      Since TWiki's security problems seem intractable (giant Perl codebase that's very difficult to audit and doesn't seem to have been designed to handle security)

      Actually, it's not that bad. External processes are only invoked in very few places, and it's more or less straightforward to patch them so that shell command injection is probably impossible (not "provably impossible" of course, but close). See my TWiki robustness patch for the details.

      I wouldn't recommend to anyone that they run a publically-viewable TWiki installation at this point.

      The alternatives aren't that much better, unfortunately. You might be able to trade shell command injection for SQL injection. The wiki mindset seems to be quite a bit away from a computer security mindset. But this shouldn't come as a surprise because giving permission to random visitors to edit your site needs quite a bit of faith.

    2. Re:We're done with TWiki by dbg400 · · Score: 4, Informative

      I also recently had my TWiki-based wiki farm broken into, for the 3rd time in 4 years, despite trying to stay up to date at least with Debian releases. Fortunately, I had each wiki set up to run suexec as an individual user, so the damage was reasonably well contained.

      I'm running the TWiki Debian packages (from Unstable) but follow the security mailing list and fortunately have patched (just) in time (so far). The first of the two recent vulnerabilities brought an attempted attack on my server around 12 hours after getting the initial email warning.

      Since TWiki's security problems seem intractable (giant Perl codebase that's very difficult to audit and doesn't seem to have been designed to handle security) I decided that enough is enough and followed freedesktop.org's lead in moving the whole farm to MoinMoin

      It's probably not much consolation, but the upcoming Dakar release features a much revised code base with security in mind.

  6. Re:hm by LnxAddct · · Score: 4, Informative

    This was a problem with one very small portion (twiki) of spreadfirefox. The system was setup regardless so that no user infomration was exposed. Nothing bad happened, spreadfirefox sent out a nice email to all registered users just letting them know that a remote attack was attempted.
    Regards,
    Steve

  7. Re:Wow, on the heels of the HP/Netscape news... by LWATCDR · · Score: 3, Informative

    But this isn't the Mozilla project. And Mozilla is inherently safer than IE.
    Why? Because Mozilla isn't port of the OS. Exploits in IE have tended to open up the entire OS to virus and malware. Exploits in Mozilla tend to crash Mozilla. Same thing with Outlook and Thunderbird.
    Finally to answer this statement of yours
    "Wake up kids. They're as fallible as anyone at Microsoft and things like this will happen. Whether it is the browser or the websites hosting or the wikis, or whatever, mistakes are going to be made and patches and corrections will need to be done."
    If you look at the spreadfirefox.org website you will see this statement "This site is not connected to the Mozilla Foundation"
    So... your point is? The cracking of this website that is in not connected to the Mozilla Foundation proves what????

    I agree that Mozilla is not perfect just better than IE.

    --
    See my blog http://ilovecookes.blogspot.com/ for light hearted technical information.
  8. Re:Hmmm... by j-turkey · · Score: 3, Informative

    From the email sent out, it says that:

    We have scanned Spread Firefox servers and at this time do not believe any sensitive data was taken, but as a precautionary measure we have shutdown the site and will be rebuilding the web site from scratch. We also recommend that you change your Spread Firefox password and the password of any accounts where you use the same password as your Spread Firefox account.

    It seems safe to assume that personal information is a subset of sensitive data, no?

    --

    -Turkey

  9. Re:The difference between Mozilla and Firefox... by ninja_assault_kitten · · Score: 2, Informative

    I think you've missed the point. Firefox (and it's users) began no with a claim of a faster response to security issues, but rather to a superior security architecture which was less conducive to the remotely exploitable vulnerabilities IE has fallen victom to. Clearly they were wrong and now all they have to hang on to is their response time, which they push every second they can.