[Members] Security message to the Infrastructure team

Jehan jehan at zemarmot.net
Wed Apr 14 00:23:23 CDT 2010


Hi all,

This message is mostly for the infrastructure team (I am not in the list,
so I send this here). Have you read about the attack on the Apache
Foundation's Jira? It used a cross scripting vulnerability in Jira and it
enabled the attackers to get session cookies, passwords (from admin among
other users), access to machines through uploaded scripts, and then even
direct access (as an admin was using the same password for Jira and as
local user which had full sudo access).

So anyway, you can read the full attack here:
https://blogs.apache.org/infra/entry/apache_org_04_09_2010

It is extremely interesting. Thus as a side-consideration, I don't know
how is our installation of Jira, but maybe it may be worth strengtening it
a little with a similar method as did the Apache folks (cf. end of their
post), if it is not already, at least until this Jira's vulnerability is
fixed (but in fact even after).
Hopefully we won't get attacked, but let's be cautious, shouldn't we? :-)

Oh and read urls before clicking them (on Jira but anywhere else as well,
we all know that), or don't click them if they are compressed urls (tinyurl
and alikes). That's how the attackers included a script in the url (which
was redirecting back to the Jira's vulnerability) which began the whole
attack.
See you.

Jehan

P.S.: in fact maybe I should have made it a Jira ticket?

-- 
Que la Sainte Marmotte soit avec moi!
Pour me contacter:
IM: jehan at zemarmot.net
email: jehan at zemarmot.net
http://jehan.zemarmot.net


More information about the Members mailing list