[Members] Security message to the Infrastructure team

Jehan jehan at zemarmot.net
Wed Apr 14 07:21:47 CDT 2010


Hi,

On Wed, 14 Apr 2010 05:48:03 -0600, Peter Saint-Andre <stpeter at stpeter.im>
wrote:
> On 4/13/10 11:23 PM, Jehan wrote:
> 
>> you can read the full attack here:
>> https://blogs.apache.org/infra/entry/apache_org_04_09_2010
> 
> We use lighttpd, not Apache.

The blog post is not fully detailed on the specific cross scripting bug's
part (but this is normal as long as the bug is not fixed): «This specific
URL redirected back to the Apache instance of JIRA, at a special URL
containing a cross site scripting (XSS) attack.».

Yet from what it seems, the vulnerability is on Jira and has nothing to do
with Apache (a cross scripting vulnerability is anyway by definition rather
a web software issue and not a web server issue). The Apache Foundation
just happens to be the target, through Jira, not through Apache.

So I think we may have as well this vulnerability, as well as many other
Jiras on the web. Maybe the Apache Foundation can be contacted to get more
details in private if you are not sure from the post.

Anyway it is always more secure to be too careful than not enough.

Jehan

-- 
Que la Sainte Marmotte soit avec moi!
Pour me contacter:
IM: jehan at zemarmot.net
email: jehan at zemarmot.net
http://jehan.zemarmot.net


More information about the Members mailing list