Joined: 04 May 2005 Posts: 12440 Location: Arizona USA
Posted: Sun 16 May 2010, 00:20 Post subject:
apache.org incident report for 04/09/2010 Subject description: If you are a user of the Apache hosted JIRA, Bugzilla, or Confluence, your password is compromised
... On April 5th, the attackers via a compromised Slicehost server opened a new issue, INFRA-2591. This issue contained the following text:
ive got this error while browsing some projects in jira http://tinyurl.com/XXXXXXXXX [obscured]
Tinyurl is a URL redirection and shortening tool. This specific URL redirected back to the Apache instance of JIRA, at a special URL containing a cross site scripting (XSS) attack. The attack was crafted to steal the session cookie from the user logged-in to JIRA. When this issue was opened against the Infrastructure team, several of our administators clicked on the link. This compromised their sessions, including their JIRA administrator rights. ...
If I understand the rest of it correctly, the administrators didn't have to be logged in as root for this attack to succeed. Sudo was used by the attackers to gain root access.
You cannot post new topics in this forum You cannot reply to topics in this forum You cannot edit your posts in this forum You cannot delete your posts in this forum You cannot vote in polls in this forum You cannot attach files in this forum You can download files in this forum