Slashdot Mirror

← Back to Stories (view on slashdot.org)

OpenSUSE Forums Defaced, Email Addresses Leaked

Posted by Unknown on from the should've-used-slash dept.

sfcrazy writes "The openSUSE Forums were hijacked yesterday. An alleged Pakistani hacker who goes by handle H4x0r HuSsY reportedly exploited a vulnerability in the vBulletin 4.2.1 software SuSE uses to host the forum. vBulletin is a proprietary forum software. The openSUSE team notes that user passwords were not compromised. 'Credentials for your openSUSE login are not saved in our application databases as we use a single-sign-on system (Access Manager from NetIQ) for all our services. This is a completely separate system and it has not been compromised by this crack. What the cracker reported as compromised passwords where indeed random, automatically set strings that are in no way connected to your real password.' It's shocking to learn that SUSE/openSUSE are using proprietary forum software vBulleting as well as proprietary single sign on solution." SuSE was using vBulletin 4.x which has no known fix for the security hole, and they are leaving the forums offline for now. It seems likely they'll be upgrading to the 5.x series.

18 of 82 comments (clear)

  1. SUSE/openSUSE using proprietrary software by __aardcx5948 · · Score: 2

    ... no it's not shocking, you use the best tool for the job.

    1. Re:SUSE/openSUSE using proprietrary software by SJHillman · · Score: 2

      Just because something is the best tool for the job doesn't mean it's invulnerable. The best hammers can break even if all you're doing is pounding nails.

    2. Re:SUSE/openSUSE using proprietrary software by amicusNYCL · · Score: 3, Informative

      Honestly, there's so much good comparable open source software out there I'm flabbergasted that Suse uses closed source for it.

      Just because they pay for a license doesn't mean they don't get the source code. The PHP code is right there if they want to go through it, vBulletin simply asks that people pay to use the software.

      --
      "Our two-party system is like a bowl of shit looking at itself in a mirror." - Lewis Black
  2. Re:Shocked that a company uses a product? by Hadlock · · Score: 2, Informative

    vBulletin is pretty solid software from an end-user standpoint. It's more or less the standard interface that all other BB software emulates. Even if it's not perfect. It's also easy to administer and is ready to go out of the box. I've seen a lot of open source options that are similar, but vBulletin seems to do it best. I'm a little surprised that the OP would look down on a pretty standard product.

    --
    moox. for a new generation.
  3. Ugh, not "a software" again by jabberw0k · · Score: 4, Funny

    vBulletin is a proprietary forum software.

    No, vBulletin is a software package, or a program, or even "vBulletin is software" -- but never "a software." You don't have "a hardware" or "an information" or "a clothing" -- you have a piece of hardware, a piece of information, a piece of clothing, and a piece of software. Grammar check, please.

    1. Re:Ugh, not "a software" again by GodfatherofSoul · · Score: 2

      So, YOU'RE the asshole TA from English comp who gave me that D...excuse me...gave me A D!

      --
      I swear to God...I swear to God! That is NOT how you treat your human!
  4. Re:vBulletin has been a security risk for ages. by amicusNYCL · · Score: 2

    Why would they demand that everything they use costs nothing? Who cares if they pay for the source code for vBulletin to run on their server?

    --
    "Our two-party system is like a bowl of shit looking at itself in a mirror." - Lewis Black
  5. Re:vBulletin has been a security risk for ages. by Anonymous Coward · · Score: 2

    What does "proprietary" have to do with "costs nothing"?

  6. Re:Proprietary, No Cost, Open Source by Kremmy · · Score: 2

    Being a web application written in PHP, the very process of compiling to a binary is rarely ever even brought to the table. The source code is equivalent to the executable code in almost every one of those cases.

  7. Re:vBulletin has been a security risk for ages. by amicusNYCL · · Score: 3, Informative

    That's what I'm wondering. You pay vBulletin, they give you the source code of their application to run on your server. You've got the code, so why does it matter that they paid for it?

    --
    "Our two-party system is like a bowl of shit looking at itself in a mirror." - Lewis Black
  8. Re:Shocked that a company uses a product? by mlts · · Score: 2

    I'm curious about the NetIQ Access Manager backend. If this is good enough to keep a dedicated intruder out, it might be worth footnoting this product for later use should the need arise to build a forum site for a small business.

  9. OpenSuSE by JohnVanVliet · · Score: 2, Informative

    as a long time OpenSuSE user the forum has beed a problem for a very long time
    Novel controls it
    NOT OPENSUSE !!!!!!

    and this has been a long standing problem for the site admins
    they really do not control it

    as in the VERY LONG STANDING issue of the code and font and css used for the forum topics
    one MUST turn off the min. size font used
    or use a 9 pt font

    that can ONLY be changed by Novel and NOT by the OpenSUSE forum

    --
    "I don't pitch OpenSUSE Linux to my friends, i let Microsoft do it for me
  10. Re:Shocked that a company uses a product? by MechanicJay · · Score: 4, Informative

    Access Manager is an extremely capable enterprise class single-sign-on product (It's the current incarnation of Novell's iChain SSO product). I'm using it here to protect about 30+ backed web-applications. I can do access restrictions based on LDAP group memberships, inject identity information in http headers, do behind the scenes form-fill login for applications that wouldn't know what SSO was if it fell on them and so much more. Currently just finished a Radius server integration for 2 factor auth. It's one of the two best pieces of enterprise software I've ever used. (Riverbed's Stingray appliance being the other).

  11. Re:Shocked that a company uses a product? by Anonymous Coward · · Score: 2, Interesting

    Not fully proprietary. One should also just note that SUSE, the parent for openSUSE, is fully owned by Attachmate Group. Attachmate Group acquired Novell and NetIQ. Novell Access Manager was rebranded (recently) to NetIQ Access Manager. SUSE doesn't pay a licensing fee to use software owned by their parent company and, while proprietary, is proprietary to themselves. vBulletin, on the other hand, is third party that they are likely paying a licensing fee for.

  12. Shocking? by Dcnjoe60 · · Score: 4, Informative

    It's shocking to learn that SUSE/openSUSE are using proprietary forum software vBulleting as well as proprietary single sign on solution.

    While vBulletin isn't under GPL, it is pretty liberal. You get the source code, you can modify and compile the source code, you may not redistribute it or remove the copyright notices. So, technically while not open source, your real limitation is in being allowed to redistribute it (not removing copyright is part of GPL, too).

    1. Re:Shocking? by CastrTroy · · Score: 3

      Actually, If you're given the source, and allowed to modify the source, and run the modified source, then it is for all intents and purposes open source. Just because you have to pay to have access to that, doesn't mean it's not open source. If there's a problem, you are still able to fix the problem yourself, which is the main tenet of open source software.

      --

      Anthropic principle: We see the universe the way it is because if it were different we would not be here to see it.
    2. Re:Shocking? by Xtifr · · Score: 2

      Funny, because redistribution is listed as point one in the Open Source Definition.

  13. 4.2.1 was old by mrspoonsi · · Score: 2

    It was patched to 4.2.2 in October, 4.2.1 had serious issues, even with 4.2.2 there have been 2 security announcements to remove vulnerable files (which are not needed to run the forum).