Security Bytes

Apr 14 2010   1:48PM GMT

Apache.org suffers attack, warns of password breach



Posted by: Robert Westervelt
Tags:
Apache
Password management

Software foundation warns users to change passwords as targeted cross-site scripting, brute force attacks penetrate Apache servers.

The Apache Software Foundation warned Tuesday that its infrastructure hosting issue-tracking software suffered a direct, targeted attack putting some passwords at risk.

In a blog post announcing the attack, Apache warned users of JIRA, Bugzilla and Confluence that their passwords have likely been compromised. The organization urged all users to rotate their passwords.

The risk for most users is low to moderate, since pre-built password dictionaries are not effective, but we recommend users should still remove these passwords from use.

The attack took place April 6 and those behind it changed the JIRA bug and project tracking tool login form to steal passwords. Anyone who logged into JIRA between April 6 and April 9 likely had their password compromised, the organization said.

Apache outlined details of the attack in a blog entry.

The attack was crafted to steal the session cookie from the user logged-in to JIRA. When this issue was opened against the Infrastructure team, several of our administators clicked on the link. This compromised their sessions, including their JIRA administrator rights.

Apache said that its use of one-time passwords helped limit the damage to a single host on the software foundation’s infrastructure.

 Comment on this Post

 
There was an error processing your information. Please try again later.
Thanks. We'll let you know when a new response is added.
Send me notifications when other members comment.

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to: