Jump to content

4 posts in this topic

Posted

Just found this posted on the Ubuntu forums, which are back up, and thought I'd share.  I know about 99.9999% of you run Windows, but for the 1 and a half of us here who run Linux, this may be relevant.

 

Source: http://blog.canonical.com/2013/07/30/ubuntu-forums-are-back-up-and-a-post-mortem/

 

 


Ubuntu Forums are back up and a post mortem

 

As announced previously, there was a security breach on the Ubuntu Forums. The Ubuntu Forums are now back up and running. What follows is a detailed post mortem of the breach and corrective actions taken by the Canonical IS team. In summary, the root cause was a combination of a compromised individual account and the configuration settings in vBulletin, the Forums application software. There was no compromise of Ubuntu itself, or any other Canonical or Ubuntu services. We have repaired and hardened the Ubuntu Forums, and as the problematic settings are the default behaviour in vBulletin, we are working with vBulletin staff to change and/or better document these settings.

What happened

At 16:58 UTC on 14 July 2013, the attacker was able to log in to a moderator account owned by a member of the Ubuntu Community.

This moderator account had permissions to post announcements to the Forums. Announcements in vBulletin, the Forums software, may be allowed to contain unfiltered HTML and do so by default.

The attacker posted an announcement and then sent private messages to three Forum administrators (also members of the Ubuntu community) claiming that there was a server error on the announcement page and asking the Forum administrators to take a look.

One of the Forum administrators quickly looked at the announcement page, saw nothing wrong and replied to the private message from the attacker saying so. 31 seconds after the Forum administrator looked at the announcement page (and before the administrator even had time to reply to the private message), the attacker logged in as that Forum administrator.

Based on the above and conversations with the vBulletin support staff, we believe the attacker added an XSS attack in the announcement they posted which sent the cookies of any visitor to the page to the attacker.

Once the attacker gained administrator access in the Forums they were able to add a hook through the administrator control panel. Hooks in vBulletin are arbitrary PHP code which can be made to run on every page load. The attacker installed a hook allowing them to execute arbitrary PHP passed in a query string argument. They used this mechanism to explore the environment and also to upload and install two widely available PHP shell kits. The attacker used these shell kits to upload and run some custom PHP code to dump the

2 people like this

Share this post


Link to post
Share on other sites

Posted

That is a very nice write up. Thanks for the link! Its nice to see Canonical thoroughly investigate, address, and document the problem.

1 person likes this

Share this post


Link to post
Share on other sites

Posted

Thanks a lot. All pf us should change our passwords, just in case.

Share this post


Link to post
Share on other sites

Posted

It's really embarrassing for them, I know. But keeping up to date on software is very important, as is good security practices. Hopefully, they have learned their lesson.

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!


Register a new account

Sign in

Already have an account? Sign in here.


Sign In Now
Sign in to follow this  
Followers 0

  • Recently Browsing   0 members

    No registered users viewing this page.