GNU Savannah Site Compromised

Trailrunner7 writes "A site belonging to the Savannah GNU free software archive was attacked recently, leading to a compromise of encrypted passwords and enabling the attackers to access restricted project material. The compromise was the result of a SQL injection attack against the savannah.gnu.org site within the last couple of days and the site is still offline now. A notice on the site says that the group has finished the process of restoring all of the data from a clean backup and bringing up access to some resources, but is still in the middle of adjusting its security settings."

SQL Injection attack

[mevets]

If you have a sign on your back that says "kick me", and people kick you, it isn't an attack. It is a response to an invitation.

A net-facing program which just blindly passes whatever crap is input into another programming language (sql, in this case) is simply stupid, broken, and wearing a "kick me" sign.

If my net facing program just bundled user input into 'cmd', and did "system(cmd)"; you would hardly consider that a "shell injection attack". It is simply really bad software. No need for fancy terms.

Re:Encrypted passwords?

[/dev/trash]

Little Bobby tables!