OpenSUSE Forums Defaced, Email Addresses Leaked 82
sfcrazy writes "The openSUSE Forums were hijacked yesterday. An alleged Pakistani hacker who goes by handle H4x0r HuSsY reportedly exploited a vulnerability in the vBulletin 4.2.1 software SuSE uses to host the forum. vBulletin is a proprietary forum software. The openSUSE team notes that user passwords were not compromised. 'Credentials for your openSUSE login are not saved in our application databases as we use a single-sign-on system (Access Manager from NetIQ) for all our services. This is a completely separate system and it has not been compromised by this crack. What the cracker reported as compromised passwords where indeed random, automatically set strings that are in no way connected to your real password.' It's shocking to learn that SUSE/openSUSE are using proprietary forum software vBulleting as well as proprietary single sign on solution."
SuSE was using vBulletin 4.x which has no known fix for the security hole, and they are leaving the forums offline for now. It seems likely they'll be upgrading to the 5.x series.
Re:Shocked that a company uses a product? (Score:3, Informative)
vBulletin is pretty solid software from an end-user standpoint. It's more or less the standard interface that all other BB software emulates. Even if it's not perfect. It's also easy to administer and is ready to go out of the box. I've seen a lot of open source options that are similar, but vBulletin seems to do it best. I'm a little surprised that the OP would look down on a pretty standard product.
Re:SUSE/openSUSE using proprietrary software (Score:4, Informative)
Honestly, there's so much good comparable open source software out there I'm flabbergasted that Suse uses closed source for it.
Just because they pay for a license doesn't mean they don't get the source code. The PHP code is right there if they want to go through it, vBulletin simply asks that people pay to use the software.
Re:vBulletin has been a security risk for ages. (Score:4, Informative)
That's what I'm wondering. You pay vBulletin, they give you the source code of their application to run on your server. You've got the code, so why does it matter that they paid for it?
OpenSuSE (Score:3, Informative)
as a long time OpenSuSE user the forum has beed a problem for a very long time
Novel controls it
NOT OPENSUSE !!!!!!
and this has been a long standing problem for the site admins
they really do not control it
as in the VERY LONG STANDING issue of the code and font and css used for the forum topics
one MUST turn off the min. size font used
or use a 9 pt font
that can ONLY be changed by Novel and NOT by the OpenSUSE forum
Re:Shocked that a company uses a product? (Score:4, Informative)
Access Manager is an extremely capable enterprise class single-sign-on product (It's the current incarnation of Novell's iChain SSO product). I'm using it here to protect about 30+ backed web-applications. I can do access restrictions based on LDAP group memberships, inject identity information in http headers, do behind the scenes form-fill login for applications that wouldn't know what SSO was if it fell on them and so much more. Currently just finished a Radius server integration for 2 factor auth. It's one of the two best pieces of enterprise software I've ever used. (Riverbed's Stingray appliance being the other).
Shocking? (Score:5, Informative)
It's shocking to learn that SUSE/openSUSE are using proprietary forum software vBulleting as well as proprietary single sign on solution.
While vBulletin isn't under GPL, it is pretty liberal. You get the source code, you can modify and compile the source code, you may not redistribute it or remove the copyright notices. So, technically while not open source, your real limitation is in being allowed to redistribute it (not removing copyright is part of GPL, too).