Forgot your password?
typodupeerror
SuSE Security

OpenSUSE Forums Defaced, Email Addresses Leaked 82

Posted by Unknown Lamer
from the should've-used-slash dept.
sfcrazy writes "The openSUSE Forums were hijacked yesterday. An alleged Pakistani hacker who goes by handle H4x0r HuSsY reportedly exploited a vulnerability in the vBulletin 4.2.1 software SuSE uses to host the forum. vBulletin is a proprietary forum software. The openSUSE team notes that user passwords were not compromised. 'Credentials for your openSUSE login are not saved in our application databases as we use a single-sign-on system (Access Manager from NetIQ) for all our services. This is a completely separate system and it has not been compromised by this crack. What the cracker reported as compromised passwords where indeed random, automatically set strings that are in no way connected to your real password.' It's shocking to learn that SUSE/openSUSE are using proprietary forum software vBulleting as well as proprietary single sign on solution." SuSE was using vBulletin 4.x which has no known fix for the security hole, and they are leaving the forums offline for now. It seems likely they'll be upgrading to the 5.x series.
This discussion has been archived. No new comments can be posted.

OpenSUSE Forums Defaced, Email Addresses Leaked

Comments Filter:
  • by Hadlock (143607) on Wednesday January 08, 2014 @01:57PM (#45899505) Homepage Journal

    vBulletin is pretty solid software from an end-user standpoint. It's more or less the standard interface that all other BB software emulates. Even if it's not perfect. It's also easy to administer and is ready to go out of the box. I've seen a lot of open source options that are similar, but vBulletin seems to do it best. I'm a little surprised that the OP would look down on a pretty standard product.

  • by amicusNYCL (1538833) on Wednesday January 08, 2014 @02:05PM (#45899629)

    Honestly, there's so much good comparable open source software out there I'm flabbergasted that Suse uses closed source for it.

    Just because they pay for a license doesn't mean they don't get the source code. The PHP code is right there if they want to go through it, vBulletin simply asks that people pay to use the software.

  • by amicusNYCL (1538833) on Wednesday January 08, 2014 @02:33PM (#45899971)

    That's what I'm wondering. You pay vBulletin, they give you the source code of their application to run on your server. You've got the code, so why does it matter that they paid for it?

  • OpenSuSE (Score:3, Informative)

    by JohnVanVliet (945577) on Wednesday January 08, 2014 @03:22PM (#45900463) Homepage

    as a long time OpenSuSE user the forum has beed a problem for a very long time
    Novel controls it
    NOT OPENSUSE !!!!!!

    and this has been a long standing problem for the site admins
    they really do not control it

    as in the VERY LONG STANDING issue of the code and font and css used for the forum topics
    one MUST turn off the min. size font used
    or use a 9 pt font

    that can ONLY be changed by Novel and NOT by the OpenSUSE forum

  • by MechanicJay (1206650) on Wednesday January 08, 2014 @03:37PM (#45900587)

    Access Manager is an extremely capable enterprise class single-sign-on product (It's the current incarnation of Novell's iChain SSO product). I'm using it here to protect about 30+ backed web-applications. I can do access restrictions based on LDAP group memberships, inject identity information in http headers, do behind the scenes form-fill login for applications that wouldn't know what SSO was if it fell on them and so much more. Currently just finished a Radius server integration for 2 factor auth. It's one of the two best pieces of enterprise software I've ever used. (Riverbed's Stingray appliance being the other).

  • Shocking? (Score:5, Informative)

    by Dcnjoe60 (682885) on Wednesday January 08, 2014 @03:47PM (#45900679)

    It's shocking to learn that SUSE/openSUSE are using proprietary forum software vBulleting as well as proprietary single sign on solution.

    While vBulletin isn't under GPL, it is pretty liberal. You get the source code, you can modify and compile the source code, you may not redistribute it or remove the copyright notices. So, technically while not open source, your real limitation is in being allowed to redistribute it (not removing copyright is part of GPL, too).

Nondeterminism means never having to say you are wrong.

Working...