Apache.Org Compromise

04/14/10

09:53:42 am, by Zach Brewer, 99 words
Categories: Security Advisories, General Security

Apache.Org Compromise

On 04/05/2010, Apache's issue tracker for projects was compromised via an XSS attack. The attackers used a simple URL redirect service appended to a new issue to grab administrator session credentials and ultimately download hashed copies of JIRA, Bugzilla, and Confluence passwords.

While the Apache blog gives compromise details and timelines, current status, and new mitigation steps, it bears repeating that any user of Apache hosted JIRA, Bugzilla, or Confluence should change their password immediately.

I also highly recommend the following related read: Improving Web Security: Six Ways the Apache.org JIRA Attack Could Have Been Prevented by Better Code

Permalink

Today's complex security and networking solutions require a great deal of knowledge to successfully support and operate. Priveon uses the field experience of its expert staff to develop and maintain a positive reinforcement loop between business practices and to provide the latest information to our customers. The information posted here is supported by Priveon subject-matter experts.

Search

XML Feeds

RSS 2.0: Posts
Atom: Posts

What is RSS?

Priveon Labs Security Blog

Apache.Org Compromise

04/14/10

Apache.Org Compromise

Search

Categories

XML Feeds

Archives