Apache Foundation Attacked, Passwords Stolen 214
Trailrunner7 writes "Combining a cross-site scripting (XSS) vulnerability with a TinyURL redirect, hackers successfully broke into the infrastructure for the open-source Apache Foundation in what is being described as a 'direct, targeted attack.' The hackers hit the server hosting the software that Apache.org uses to track issues and requests and stole passwords from all users. The software was hosted on brutus.apache.org, a machine running Ubuntu Linux 8.04 LTS, the group said."
Obvious who did it (Score:3, Funny)
Finally - a CowboyNeal option that is the right one!
Should'a been running IIS! (Score:5, Funny)
Re:Obvious who did it (Score:3, Funny)
It was the Cowboy attacked Apache.
Finally - a CowboyNeal option that is the right one!
CowboyNeal....in the library....with the machete...
Re:lols (Score:5, Funny)
Hey, this is serious! These hackers might have access to the full source code for Apache. Now they can craft specially targeted attacks against most web servers - no longer does Apache have that advantage over the leaked Windows source code. A terrible day for security on the web.
Re:lols (Score:3, Funny)
Re:lols (Score:2, Funny)
Do you mean the source code for the Apache web server itself? Hasn't that always been available? Since when has it been a closed source product like IIS?
Oh, hand on a sec, there's sarcasm here?
Re:Serious Question (Score:4, Funny)
My first reaction was that we should set up a huge department level bureaucracy, let's call it the "Department of HTTPD Security" (after the Apache server's process name HTTPD). This department will gets lots of funding and quickly hire many people. Due to the short time period these people will certainly not be the best, or even very good, at security, but this is an emergency so we'll gloss over that. The Department will subsume and take over several other large and already successful security agencies like CERT. From now on any code changes trying to enter or leave Apache or any other of a number of projects will be stopped by the Department, and be forced to be inspected by these inexperienced agents. No code blocks over 3.4K lines will be allowed in. Any archive files will need to be unzipped and displayed for the agent. The Department will also keep a list of first names of programmers who have had security problems and code from anyone matching this list will not be allowed. If any programmer complains about these rules that programmer will also be added to the list. If a programmer even jokes about Apache security or wears a T-Shirt with security exploits on it they will be added to the list.
That was just my first reaction, but then I realized that would be stupid, right?
Re:TinyURL Previews (Score:5, Funny)
http://joshua.schachter.org/2009/04/on-url-shorteners.html [schachter.org]
And if that URL is too long, try: http://bit.ly/diVyDc [bit.ly]
Re:lols (Score:4, Funny)
Re:TinyURL Previews (Score:3, Funny)
And if that URL just isn't long enough, try here [hugeurl.com].