On April 5th, the attackers via a compromised Slicehost server opened a new issue, INFRA-2591. This issue contained the following text: ive got this error while browsing some projects in jira http://tinyurl.com/XXXXXXXXX [tinyurl.com] [obscured]...This specific URL redirected back to the Apache instance of JIRA, at a special URL containing a cross site scripting (XSS) attack. The attack was crafted to steal the session cookie from the user logged-in to JIRA. When this issue was opened against the Infrastructure team, several of our administators clicked on the link. This compromised their sessions, including their JIRA administrator rights.
Of course it is - one shared (at some point in time), by all browsers, amongst other software. That's why it's "stupid" to trust your systems 100% You yourself don't have a quick look at a link, especially one from an unknown source, before blithely clicking? Especially if you're logged on with root or admin rights?
Interesting attack, but depends on user fail (Score:2)
FTA:
On April 5th, the attackers via a compromised Slicehost server opened a new issue, INFRA-2591. This issue contained the following text:
ive got this error while browsing some projects in jira http://tinyurl.com/XXXXXXXXX [tinyurl.com] [obscured]...This specific URL redirected back to the Apache instance of JIRA, at a special URL containing a cross site scripting (XSS) attack. The attack was crafted to steal the session cookie from the user logged-in to JIRA. When this issue was opened against the Infrastructure team, several of our administators clicked on the link. This compromised their sessions, including their JIRA administrator rights.
Oops...check those URLs, admins...
Re: (Score:2)
But clicking on a link should newer be dangerous, so for this to work there must be a bug in their bugtracking software.
don't be stupid, it's design failure (Score:2)
you can compromise your system by clicking on a link? That is fucked up design.
Re: (Score:3, Insightful)
Of course it is - one shared (at some point in time), by all browsers, amongst other software.
That's why it's "stupid" to trust your systems 100%
You yourself don't have a quick look at a link, especially one from an unknown source, before blithely clicking?
Especially if you're logged on with root or admin rights?
Re: (Score:2)