Apache Foundation Attacked, Passwords Stolen

Trailrunner7 writes "Combining a cross-site scripting (XSS) vulnerability with a TinyURL redirect, hackers successfully broke into the infrastructure for the open-source Apache Foundation in what is being described as a 'direct, targeted attack.' The hackers hit the server hosting the software that Apache.org uses to track issues and requests and stole passwords from all users. The software was hosted on brutus.apache.org, a machine running Ubuntu Linux 8.04 LTS, the group said."

Re:Naturally, the passwords were not in clear

[bark]

If you read the article, the Apache folks were compromised before the Atlassian breach - and in the article, it appears Apache contacted Atlassian regarding the xss compromise which was used 2 days later directly on atlassian itself.

every site in the world should have frame busting

[circletimessquare]

http://en.wikipedia.org/wiki/Framekiller

one line of code:

top.location.replace(self.location.href);

put it in every page you ever publish on the web

it's not 100% foolproof, nothing is

but it's so little effort for protection from an important kind of xss attack

Re:Naturally, the passwords were not in clear

[Firehed]

And TFS said that passwords were stolen via an XSS exploit. You could be storing passwords on the server with some sort of quantum solution and still be screwed, because the passwords are stolen before they hit the server.

Sounds like there's two stages here though. Get admin access via logging passwords with the XSS exploit, and then get at the DB and do whatever the hell they want. Even if you have XSS vulnerabilities (and they're terribly common), admins should still know better than to login through a tinyurl link, since that's now one of the easiest ways for a malicious user to get a vulnerability on the page.

That said, storing unsalted hashes is still abysmally stupid.