Slashdot Mirror

← Back to Stories (view on slashdot.org)

SpreadFirefox Security Breached (again)

Posted by CmdrTaco on from the hate-when-that-happens dept.

Kurt writes "The hugely popular SpreadFirefox project, a Firefox community marketing site, has recently fallen victim to a security breach in their TWiki software. This breach has forced the site to shutdown until October 19th. During this time, they will be performing a rebuild of the SpreadFirefox system, to hopefully curb more security breaches."

10 of 140 comments (clear)

  1. hm by sexyrexy · · Score: 4, Insightful

    OSS isn't inherently any more secure than proprietary software. It's just that the nature of the typical OSS developer vs a corporation means that the OSS organization is more transparent when bad things do happen. It doesn't mean that the security breach didn't already happen, though.

    --

    Rex is 09 F9 11 02 9D 74 E3 5B D8 41 56 C5 63 56 88 C0
    1. Re:hm by LnxAddct · · Score: 4, Informative

      This was a problem with one very small portion (twiki) of spreadfirefox. The system was setup regardless so that no user infomration was exposed. Nothing bad happened, spreadfirefox sent out a nice email to all registered users just letting them know that a remote attack was attempted.
      Regards,
      Steve

    2. Re:hm by ArsenneLupin · · Score: 4, Insightful
      the OSS organization is more transparent when bad things do happen

      That's correct. OSS organizations already warn their public if something might have happened to their website.

      Commercial organizations, on the other hand, don't warn their public. There may even be entire herds of goats trampling all over their website, and the public still isn't warned. Instead they quietely chase away the goats, still without a word of explanation to the public. And then completely forget to mend the fence through which the goats entered!

    3. Re:hm by ajs318 · · Score: 4, Insightful

      OSS is inherently more secure than proprietary software.

      Proprietary software authors do not have to do things "properly", they just kludge things together that may or may not work in every possible weirdy case, and rely on nobody ever seeing what an awful job they made of it in the first place. Witness any open source project that used to be closed-source {Mozilla; OpenOffice.org; Solaris}. Open Source developers have to write code that they would not be ashamed to show to anybody, because they do not know who is going to be looking at it. To quote Larry Wall, "Hubris is the quality that makes you write (and maintain) programs that other people won't want to say bad things about. Hence, the third great virtue of a programmer." They also have to write code in such a way that it won't be obvious from inspecting it how to misuse it.

      Morbid curiosity is what makes people look at source code; and there are significantly more good guys than bad, so if anyone is looking at your source code, the chances are that their intentions are honourable.

      --
      Je fume. Tu fumes. Nous fûmes!
  2. Wrong Date by rb2297 · · Score: 5, Informative

    It says the site is down until the 15th not the 19th...

  3. Re:Message by druske · · Score: 5, Informative
    The SpreadFirefox team sent this email out to registered users:

    The Spread Firefox Team became aware this week that the server hosting
    Spread Firefox, our community marketing site, has been accessed by
    unknown remote attackers who attempted to exploit a security
    vulnerability in TWiki software installed on the server. The TWiki
    software was disabled as soon as we were aware of the attempts to access
    SpreadFirefox.com. This exploit was limited to SpreadFirefox.com and
    did not affect mozilla.org web sites or Mozilla software.

    We have scanned Spread Firefox servers and at this time do not believe
    any sensitive data was taken, but as a precautionary measure we have
    shutdown the site and will be rebuilding the web site from scratch. We
    also recommend that you change your Spread Firefox password and the
    password of any accounts where you use the same password as your Spread
    Firefox account. We will notify you again when the site is back up with
    instructions on how to change your password. (Note: We do use MD5
    hashing on the passwords, but MD5 cannot protect all passwords against
    off-line dictionary style attacks.)

    After Spread Firefox was compromised in July, we instituted procedures
    to ensure that we apply all security fixes to the software running the
    site (Drupal and PHP) as soon as they become available. Unfortunately,
    those procedures overlooked the installation of the TWiki software since
    it is not used by the main Spread Firefox site. When the system is
    rebuilt, all the software will be audited to ensure that security
    updates will be applied in a timely manner. We deeply regret this
    incident and any inconvenience this may have caused you. Sincerely,

    Spread Firefox Team
    Mozilla Foundation
  4. Dupe! by Scoria · · Score: 4, Funny

    Look at this! Now they're even taunting us by appending "(again)" to the duplicate subject entries!

    --
    Do you like German cars?
  5. We're done with TWiki by po8 · · Score: 5, Informative

    I also recently had my TWiki-based wiki farm broken into, for the 3rd time in 4 years, despite trying to stay up to date at least with Debian releases. Fortunately, I had each wiki set up to run suexec as an individual user, so the damage was reasonably well contained.

    Since TWiki's security problems seem intractable (giant Perl codebase that's very difficult to audit and doesn't seem to have been designed to handle security) I decided that enough is enough and followed freedesktop.org's lead in moving the whole farm to MoinMoin. MoinMoin is written in Python rather than Perl, and seems to be better thought out in terms of security, although I had to hack up the source some to get what I wanted. Some open source migration tools will be made available shortly.

    I wouldn't recommend to anyone that they run a publically-viewable TWiki installation at this point.

    1. Re:We're done with TWiki by dbg400 · · Score: 4, Informative

      I also recently had my TWiki-based wiki farm broken into, for the 3rd time in 4 years, despite trying to stay up to date at least with Debian releases. Fortunately, I had each wiki set up to run suexec as an individual user, so the damage was reasonably well contained.

      I'm running the TWiki Debian packages (from Unstable) but follow the security mailing list and fortunately have patched (just) in time (so far). The first of the two recent vulnerabilities brought an attempted attack on my server around 12 hours after getting the initial email warning.

      Since TWiki's security problems seem intractable (giant Perl codebase that's very difficult to audit and doesn't seem to have been designed to handle security) I decided that enough is enough and followed freedesktop.org's lead in moving the whole farm to MoinMoin

      It's probably not much consolation, but the upcoming Dakar release features a much revised code base with security in mind.

  6. Re:Not Mozilla software that was hacked by sprintstar · · Score: 5, Informative

    It wasn't MediaWiki , it was TWiki. They have (AFAIK) nothing to do with each other.