OpenSUSE forums defaced via unknown vBulletin 0-day
Posted on 08 January 2014.
The official forums of the openSUSE Linux distribution have been hacked and defaced by a Pakistani hacker that goes by the handle "H4x0r HuSsY."

According to THN, the hacker has defaced the site and downloaded a database containing information about nearly 80,000 forum users, and did so by using a private vBulletin zero-day exploit that allowed him to browse, read or write / overwrite any file on the Forum server without root privileges.

The exploit apparently takes advantage of a flaw present in the vBulletin version used for the openSUSE forums (4.2.1), but also the latest version of the online forum software package (5.0.5).

The hacker claims that the user database he managed to get his hands on contains usernames, passwords and email addresses, and has posted a redacted screenshot of it to prove his claim.

But openSUSE admins claim that passwords have not been compromised.

"Credentials for your openSUSE login are not saved in our application databases as we use a single-sign-on system (Access Manager from NetIQ) for all our services. This is a completely separate system and it has not been compromised by this crack," they explained in a blog post. "What the cracker reported as compromised passwords where indeed random, automatically set strings that are in no way connected to your real password."

Still, the local database did contain users' email addresses.

They also announced that the forums will be taken offline until a fix or a workaround for the exploited flaw is found.

vBulletin is an extremely popular forum software package and is used by many large web forums, and their admins might want to consider doing the same.









Spotlight

The role of the cloud in the modern security architecture

Posted on 31 July 2014.  |  Stephen Pao, General Manager, Security Business at Barracuda Networks, offers advice to CISOs concerned about moving the secure storage of their documents into the cloud and discusses how the cloud shaping the modern security architecture.


Weekly newsletter

Reading our newsletter every Monday will keep you up-to-date with security news.
  



Daily digest

Receive a daily digest of the latest security news.
  

DON'T
MISS

Fri, Aug 1st
    COPYRIGHT 1998-2014 BY HELP NET SECURITY.   // READ OUR PRIVACY POLICY // ABOUT US // ADVERTISE //