XSS Attack

Apache Server Hacked

Jessica Thornsby

On April 5th, 2010, hackers broke into a server the Apache Software Foundation uses to keep track of software bugs, it has been revealed.

The hackers exploited the cross-site scripting (XSS) bug error, in combination with a password-guessing attack against the JIRA login.jsp. By April 9th, the attackers had managed to install a JAR file that collected all passwords upon login.

“If you logged into the Apache JIRA instance between April 6th and April 9th, you should consider the password as compromised,” reads the statement, posted on the Apache website.

Atlassian have since provided a patch for JIRA to prevent XSS attacks.

“We hope our disclosure has been as open as possible and true to the ASF spirit. Hopefully others can learn from our mistakes,” concludes the statement.

comments powered by Disqus