A few readers pointed us to an announcement by the Apache Foundation about a breach of their bugtracking software.
First of all: Kudos to Apache for publishing a nice and detailed incident report . The attack included a number of elements that in itself are frequently ignored, but if combined in an attack like this one, turn out to be deadly.
Reading the blog post, a cross site scripting attack or simple password brute forcing was used to compromise the attack. While either attack appears to have the potential to succeed, it is not clear which one was finally used to gain access.
The cross site scripting attack used an additional twist in hiding the malicious URL via tinyurl.com. This made it more likely that an administrator would actually click on the URL.
Once the bug tracking system was compromised, the attacker modified it to log passwords. An administrator happened to use the same password to log in to the bug tracker as they use on the system itself.
Lets skip to the lessons learned:
See the full blog post for more details and more lessons learned.
 https://blogs.apache.org/infra/entry/apache_org_04_09_2010Defending Web Applications Security Essentials - SANS San Francisco Spring 2020
Apr 13th 2010
9 years ago