Slashdot Mirror

← Back to Stories (view on slashdot.org)

OpenSUSE Forums Defaced, Email Addresses Leaked

Posted by Unknown on from the should've-used-slash dept.

sfcrazy writes "The openSUSE Forums were hijacked yesterday. An alleged Pakistani hacker who goes by handle H4x0r HuSsY reportedly exploited a vulnerability in the vBulletin 4.2.1 software SuSE uses to host the forum. vBulletin is a proprietary forum software. The openSUSE team notes that user passwords were not compromised. 'Credentials for your openSUSE login are not saved in our application databases as we use a single-sign-on system (Access Manager from NetIQ) for all our services. This is a completely separate system and it has not been compromised by this crack. What the cracker reported as compromised passwords where indeed random, automatically set strings that are in no way connected to your real password.' It's shocking to learn that SUSE/openSUSE are using proprietary forum software vBulleting as well as proprietary single sign on solution." SuSE was using vBulletin 4.x which has no known fix for the security hole, and they are leaving the forums offline for now. It seems likely they'll be upgrading to the 5.x series.

50 of 82 comments (clear)

  1. Shocked that a company uses a product? by Anonymous Coward · · Score: 1, Insightful

    What, maybe they wanted to pay for something, rather than use the open-source alternative, which isn't always the best choice.

    1. Re:Shocked that a company uses a product? by Hadlock · · Score: 2, Informative

      vBulletin is pretty solid software from an end-user standpoint. It's more or less the standard interface that all other BB software emulates. Even if it's not perfect. It's also easy to administer and is ready to go out of the box. I've seen a lot of open source options that are similar, but vBulletin seems to do it best. I'm a little surprised that the OP would look down on a pretty standard product.

      --
      moox. for a new generation.
    2. Re:Shocked that a company uses a product? by mlts · · Score: 2

      I'm curious about the NetIQ Access Manager backend. If this is good enough to keep a dedicated intruder out, it might be worth footnoting this product for later use should the need arise to build a forum site for a small business.

    3. Re:Shocked that a company uses a product? by allanjude8027 · · Score: 1

      The attacker in this case was only armed with a known exploit for vBulletin. I am guessing they didn't even know NetIQ was there. Using any external authentication system would be a benefit in the case of a vBulletin exploit, as vBulletin is going to give the attacker full access to your SQL database, so having your passwords stored somewhere else, will require the attacker to be more than a run-of-the-mill website defacer.

    4. Re:Shocked that a company uses a product? by MechanicJay · · Score: 4, Informative

      Access Manager is an extremely capable enterprise class single-sign-on product (It's the current incarnation of Novell's iChain SSO product). I'm using it here to protect about 30+ backed web-applications. I can do access restrictions based on LDAP group memberships, inject identity information in http headers, do behind the scenes form-fill login for applications that wouldn't know what SSO was if it fell on them and so much more. Currently just finished a Radius server integration for 2 factor auth. It's one of the two best pieces of enterprise software I've ever used. (Riverbed's Stingray appliance being the other).

    5. Re:Shocked that a company uses a product? by Anonymous Coward · · Score: 2, Interesting

      Not fully proprietary. One should also just note that SUSE, the parent for openSUSE, is fully owned by Attachmate Group. Attachmate Group acquired Novell and NetIQ. Novell Access Manager was rebranded (recently) to NetIQ Access Manager. SUSE doesn't pay a licensing fee to use software owned by their parent company and, while proprietary, is proprietary to themselves. vBulletin, on the other hand, is third party that they are likely paying a licensing fee for.

    6. Re:Shocked that a company uses a product? by mlts · · Score: 1

      I like the idea of having it in a separate product, on a separate server. Separation of duties 101. To boot, the product can use Google's Authenticator. This isn't the be all and end all in security, but it does provide the website designer with that ability to allow end users to use two factor authentication.

      So far, I've done some work on an appliance that is essentially a separate box that stores username/password hash tuples, prohibits a wholesale dump of files (unless one physically attaches a usb flash drive), and handles the lockouts on the appliance end, so even if the web app and DB got hacked, the username/passwords are out of reach, barring a physical intrusion. However, something like this product stated above seems to do what I've been doing on an amateur level a lot better.

    7. Re:Shocked that a company uses a product? by Kalriath · · Score: 1

      No it doesn't. All the other database drivers were phased out (source: I was the poor bastard that maintained MSSQL for it).

      --
      For a site about things like basic rights, Slashdot users sure do like to censor "dissent".
  2. SUSE/openSUSE using proprietrary software by __aardcx5948 · · Score: 2

    ... no it's not shocking, you use the best tool for the job.

    1. Re:SUSE/openSUSE using proprietrary software by mcgrew · · Score: 1

      Obviously this closed source software wasn't, in fact, the best tool for the job. If it were it wouldn't have been hacked.

      Honestly, there's so much good comparable open source software out there I'm flabbergasted that Suse uses closed source for it.

      --
      Free Martian Whores!
    2. Re:SUSE/openSUSE using proprietrary software by rujasu · · Score: 1

      ... which vBulletin 4.x clearly was not.

    3. Re:SUSE/openSUSE using proprietrary software by SJHillman · · Score: 2

      Just because something is the best tool for the job doesn't mean it's invulnerable. The best hammers can break even if all you're doing is pounding nails.

    4. Re:SUSE/openSUSE using proprietrary software by amicusNYCL · · Score: 3, Informative

      Honestly, there's so much good comparable open source software out there I'm flabbergasted that Suse uses closed source for it.

      Just because they pay for a license doesn't mean they don't get the source code. The PHP code is right there if they want to go through it, vBulletin simply asks that people pay to use the software.

      --
      "Our two-party system is like a bowl of shit looking at itself in a mirror." - Lewis Black
    5. Re:SUSE/openSUSE using proprietrary software by poet · · Score: 1

      Mcgrew,

      I would love for you to cite your comment with references to Open Source single sign-on software that is better than the closed source contenders. (I will grant you that it is ridiculous that they were using closed source bulletin board software).

      --
      Get your PostgreSQL here: http://www.commandprompt.com/
    6. Re:SUSE/openSUSE using proprietrary software by Kalriath · · Score: 1

      Shibboleth? Hahahahaha... erm. I'll see myself out.

      But seriously, as another person mentioned, to SUSE, NetIQ Access Manager isn't closed source - it's their own product (well, made my another company in the same group).

      In terms of it being ridiculous that they were using a closed source bulletin board... why is that? They simply decided vBulletin was the best tool for the job, it's not like they were using vBulletin 5 or anything.

      --
      For a site about things like basic rights, Slashdot users sure do like to censor "dissent".
  3. Proprietary, No Cost, Open Source by tomhath · · Score: 1

    People seem to confuse those terms. AFAIK vBulletin is proprietary and charges a reasonable fee to use. I have no idea if the source is available but is appears to be mostly PHP, Javascript, and HTML - so maybe.

    1. Re:Proprietary, No Cost, Open Source by amicusNYCL · · Score: 1

      The system requirements only list various versions of PHP and MySQL. They don't say anything about requiring something to execute encrypted PHP source code, and they don't require any particular OS so it doesn't sound like they ship binaries.

      --
      "Our two-party system is like a bowl of shit looking at itself in a mirror." - Lewis Black
    2. Re:Proprietary, No Cost, Open Source by Kremmy · · Score: 2

      Being a web application written in PHP, the very process of compiling to a binary is rarely ever even brought to the table. The source code is equivalent to the executable code in almost every one of those cases.

    3. Re:Proprietary, No Cost, Open Source by Kalriath · · Score: 1

      vBulletin comes with source. It does not utilise ionCube or Zend encoding.

      --
      For a site about things like basic rights, Slashdot users sure do like to censor "dissent".
  4. vBulletin has been a security risk for ages. by Kremmy · · Score: 1

    Why are major linux distributions relying on proprietary software after the whole BitKeeper fiasco anyway?

    1. Re:vBulletin has been a security risk for ages. by amicusNYCL · · Score: 2

      Why would they demand that everything they use costs nothing? Who cares if they pay for the source code for vBulletin to run on their server?

      --
      "Our two-party system is like a bowl of shit looking at itself in a mirror." - Lewis Black
    2. Re:vBulletin has been a security risk for ages. by Anonymous Coward · · Score: 2

      What does "proprietary" have to do with "costs nothing"?

    3. Re:vBulletin has been a security risk for ages. by Kremmy · · Score: 1

      "They who can give up essential liberty to obtain a little temporary safety, deserve neither liberty nor safety."

      That's kind of the point.

    4. Re:vBulletin has been a security risk for ages. by amicusNYCL · · Score: 3, Informative

      That's what I'm wondering. You pay vBulletin, they give you the source code of their application to run on your server. You've got the code, so why does it matter that they paid for it?

      --
      "Our two-party system is like a bowl of shit looking at itself in a mirror." - Lewis Black
  5. Ugh, not "a software" again by jabberw0k · · Score: 4, Funny

    vBulletin is a proprietary forum software.

    No, vBulletin is a software package, or a program, or even "vBulletin is software" -- but never "a software." You don't have "a hardware" or "an information" or "a clothing" -- you have a piece of hardware, a piece of information, a piece of clothing, and a piece of software. Grammar check, please.

    1. Re:Ugh, not "a software" again by Anonymous Coward · · Score: 1, Funny

      I have an information for you. It says a hardware may help you to by a clothing. But you'll need a software installed first.

    2. Re:Ugh, not "a software" again by GodfatherofSoul · · Score: 2

      So, YOU'RE the asshole TA from English comp who gave me that D...excuse me...gave me A D!

      --
      I swear to God...I swear to God! That is NOT how you treat your human!
  6. Pity it wasn't Ubuntu Forums (again) by johnsie · · Score: 1, Offtopic

    The mods on Ubuntu forums hand out refractions like there's no tomorrow. Anyone who has much as criticizes Unity or mentions the embeded sypware gets an immediate refraction.

    1. Re:Pity it wasn't Ubuntu Forums (again) by Dcnjoe60 · · Score: 1

      The mods on Ubuntu forums hand out refractions like there's no tomorrow. Anyone who has much as criticizes Unity or mentions the embeded sypware gets an immediate refraction.

      If criticizing Ubuntu will get me a new tablet, sign me up! (Per wikipedia: " Refraction is essentially a surface phenomenon")

  7. OMG That's Precious by stevegee58 · · Score: 1

    H4x0r HuSsY. You just can't make this stuff up.

    1. Re:OMG That's Precious by csumpi · · Score: 1

      He could improve it though, just by reversing the order:

      HuSsY H4x0r

      .

  8. OpenSuSE by JohnVanVliet · · Score: 2, Informative

    as a long time OpenSuSE user the forum has beed a problem for a very long time
    Novel controls it
    NOT OPENSUSE !!!!!!

    and this has been a long standing problem for the site admins
    they really do not control it

    as in the VERY LONG STANDING issue of the code and font and css used for the forum topics
    one MUST turn off the min. size font used
    or use a 9 pt font

    that can ONLY be changed by Novel and NOT by the OpenSUSE forum

    --
    "I don't pitch OpenSUSE Linux to my friends, i let Microsoft do it for me
  9. I need a h@cX#r name. by csumpi · · Score: 1

    I'm just worried it would take lots of extra time and effort to type something like H4x0r HuSsY multiple times a day.

  10. Shocking? by Dcnjoe60 · · Score: 4, Informative

    It's shocking to learn that SUSE/openSUSE are using proprietary forum software vBulleting as well as proprietary single sign on solution.

    While vBulletin isn't under GPL, it is pretty liberal. You get the source code, you can modify and compile the source code, you may not redistribute it or remove the copyright notices. So, technically while not open source, your real limitation is in being allowed to redistribute it (not removing copyright is part of GPL, too).

    1. Re:Shocking? by CastrTroy · · Score: 3

      Actually, If you're given the source, and allowed to modify the source, and run the modified source, then it is for all intents and purposes open source. Just because you have to pay to have access to that, doesn't mean it's not open source. If there's a problem, you are still able to fix the problem yourself, which is the main tenet of open source software.

      --

      Anthropic principle: We see the universe the way it is because if it were different we would not be here to see it.
    2. Re:Shocking? by Dcnjoe60 · · Score: 1

      Actually, If you're given the source, and allowed to modify the source, and run the modified source, then it is for all intents and purposes open source. Just because you have to pay to have access to that, doesn't mean it's not open source. If there's a problem, you are still able to fix the problem yourself, which is the main tenet of open source software.

      You aren't free to redistribute the source, which is keeping it from being classified as open source, but otherwise, I agree, from the user perspective, it has all of the benefits of open source.

    3. Re:Shocking? by Kalriath · · Score: 1

      Actually, I don't think redistribution rights are a requirement of Open Source, only of Free/Libre Software.

      --
      For a site about things like basic rights, Slashdot users sure do like to censor "dissent".
    4. Re:Shocking? by Xtifr · · Score: 2

      Funny, because redistribution is listed as point one in the Open Source Definition.

    5. Re:Shocking? by Kalriath · · Score: 1

      Fair enough, it appears I'm wrong on that.

      --
      For a site about things like basic rights, Slashdot users sure do like to censor "dissent".
  11. Well... by Lirodon · · Score: 1

    vBulletin has pretty much become crap since Internet Brands bought it. Even IPB would be a bit more tolerable...

  12. 4.2.1 was old by mrspoonsi · · Score: 2

    It was patched to 4.2.2 in October, 4.2.1 had serious issues, even with 4.2.2 there have been 2 security announcements to remove vulnerable files (which are not needed to run the forum).

  13. PHP drrrp by Anonymous Coward · · Score: 1

    People need to stop using shit written in PHP,

    They got what they deserved, stupid bastards.

  14. About NetIQ Access Manager by LDAPMAN · · Score: 1

    NetIQ Access Manager is rock solid and massively scalable. I support multiple systems that use it for over 30 million users. Nothing better for web access management.

    1. Re:About NetIQ Access Manager by MechanicJay · · Score: 1

      30 Million! My AM environment is serving barely 5K. I'd love to get some details on your infrastructure. How many IDPs and AGs are you running?

    2. Re:About NetIQ Access Manager by LDAPMAN · · Score: 1

      Please contact me directly at jcombs@pointbluetech.com and I'll answer any questions you might have. Running the 3.2+ version of the gateway on Linux we have been able to run over 30K concurrent sessions on a single node. We have gone to 50K in testing on some monster hardware.

  15. Access Manager by LDAPMAN · · Score: 1

    In this case it's even better. None of the user authentication data is on the NetIQ appliance. It's all stored on an LDAP server even further back behind additional firewalls.

  16. Re:Send in the Drones by crutchy · · Score: 1

    Send in the Drones

    i read that and thought you were talking about democratic party voters

  17. Hahahaha!! by matbury · · Score: 1

    Used insecure proprietary software; got pwned. If the software has pretty GUIs and simple tools, that makes it nicer and easier for the hackers to pwn you.

    Best tool for the job? Not if its security sucks.

  18. Just cause you have the source don't make it free by taikedz · · Score: 1

    I know I'm late to the party, but I can't let this one slip :-). So, a bit of Free Software Philosophy 101 to serve up

    First off, Stallman's definitions of Software Freedoms:

    1. The freedom to run the program, for any purpose (freedom 0).
    2. The freedom to study how the program works, and change it so it does your computing as you wish (freedom 1). Access to the source code is a precondition for this.
    3. The freedom to redistribute copies so you can help your neighbor (freedom 2).
    4. The freedom to distribute copies of your modified versions to others (freedom 3). By doing this you can give the whole community a chance to benefit from your changes. Access to the source code is a precondition for this.

    Secondly the consequence: Nobody but vBulletin is allowed to patch the hole, from a legal standpoint, lacking freedom 1, and thus lacking freedoms 2 and 3. Legally, SUSE cannot modify/improve/patch the software - they can only purchase upgrades.

    I leave this here, you know, just in case.

    --
    -- "Simplicity is prerequisite for reliability." --Dijkstra
  19. Re:Just cause you have the source don't make it fr by amicusNYCL · · Score: 1

    I'm not sure what the license actually says, so I'm not sure if they expressly disallow people from making changes or not. Practically, they couldn't do that, if they are distributing the code then people are able to change it. It might not make sense to change it if you're just going to update at some point in the future, but it's a possibility.

    Anyway, the reason I kept posting things like that was because people kept referring to the software as "closed-source" or something like that, when it's not. The source is open, it's just not free. The major difference between vBulletin and any other open-source PHP project is the license, that's it. It's open-source software that isn't free (both kinds).

    --
    "Our two-party system is like a bowl of shit looking at itself in a mirror." - Lewis Black