Forgot your password?
typodupeerror
SuSE Security

OpenSUSE Forums Defaced, Email Addresses Leaked 82

Posted by Unknown Lamer
from the should've-used-slash dept.
sfcrazy writes "The openSUSE Forums were hijacked yesterday. An alleged Pakistani hacker who goes by handle H4x0r HuSsY reportedly exploited a vulnerability in the vBulletin 4.2.1 software SuSE uses to host the forum. vBulletin is a proprietary forum software. The openSUSE team notes that user passwords were not compromised. 'Credentials for your openSUSE login are not saved in our application databases as we use a single-sign-on system (Access Manager from NetIQ) for all our services. This is a completely separate system and it has not been compromised by this crack. What the cracker reported as compromised passwords where indeed random, automatically set strings that are in no way connected to your real password.' It's shocking to learn that SUSE/openSUSE are using proprietary forum software vBulleting as well as proprietary single sign on solution." SuSE was using vBulletin 4.x which has no known fix for the security hole, and they are leaving the forums offline for now. It seems likely they'll be upgrading to the 5.x series.
This discussion has been archived. No new comments can be posted.

OpenSUSE Forums Defaced, Email Addresses Leaked

Comments Filter:
  • by Anonymous Coward

    What, maybe they wanted to pay for something, rather than use the open-source alternative, which isn't always the best choice.

    • by 0racle (667029)

      which isn't always the best choice

      But vBulletin was? Holy shit, what are the alternatives?

      • Re: (Score:3, Informative)

        by Hadlock (143607)

        vBulletin is pretty solid software from an end-user standpoint. It's more or less the standard interface that all other BB software emulates. Even if it's not perfect. It's also easy to administer and is ready to go out of the box. I've seen a lot of open source options that are similar, but vBulletin seems to do it best. I'm a little surprised that the OP would look down on a pretty standard product.

        • by mlts (1038732)

          I'm curious about the NetIQ Access Manager backend. If this is good enough to keep a dedicated intruder out, it might be worth footnoting this product for later use should the need arise to build a forum site for a small business.

          • The attacker in this case was only armed with a known exploit for vBulletin. I am guessing they didn't even know NetIQ was there. Using any external authentication system would be a benefit in the case of a vBulletin exploit, as vBulletin is going to give the attacker full access to your SQL database, so having your passwords stored somewhere else, will require the attacker to be more than a run-of-the-mill website defacer.
            • Re: (Score:2, Interesting)

              by Anonymous Coward

              Not fully proprietary. One should also just note that SUSE, the parent for openSUSE, is fully owned by Attachmate Group. Attachmate Group acquired Novell and NetIQ. Novell Access Manager was rebranded (recently) to NetIQ Access Manager. SUSE doesn't pay a licensing fee to use software owned by their parent company and, while proprietary, is proprietary to themselves. vBulletin, on the other hand, is third party that they are likely paying a licensing fee for.

          • by MechanicJay (1206650) on Wednesday January 08, 2014 @03:37PM (#45900587)

            Access Manager is an extremely capable enterprise class single-sign-on product (It's the current incarnation of Novell's iChain SSO product). I'm using it here to protect about 30+ backed web-applications. I can do access restrictions based on LDAP group memberships, inject identity information in http headers, do behind the scenes form-fill login for applications that wouldn't know what SSO was if it fell on them and so much more. Currently just finished a Radius server integration for 2 factor auth. It's one of the two best pieces of enterprise software I've ever used. (Riverbed's Stingray appliance being the other).

            • by mlts (1038732)

              I like the idea of having it in a separate product, on a separate server. Separation of duties 101. To boot, the product can use Google's Authenticator. This isn't the be all and end all in security, but it does provide the website designer with that ability to allow end users to use two factor authentication.

              So far, I've done some work on an appliance that is essentially a separate box that stores username/password hash tuples, prohibits a wholesale dump of files (unless one physically attaches a usb fl

              • In this case it's even better. None of the user authentication data is on the NetIQ appliance. It's all stored on an LDAP server even further back behind additional firewalls.

          • NetIQ Access Manager is rock solid and massively scalable. I support multiple systems that use it for over 30 million users. Nothing better for web access management.

            • 30 Million! My AM environment is serving barely 5K. I'd love to get some details on your infrastructure. How many IDPs and AGs are you running?

              • by LDAPMAN (930041)

                Please contact me directly at jcombs@pointbluetech.com and I'll answer any questions you might have. Running the 3.2+ version of the gateway on Linux we have been able to run over 30K concurrent sessions on a single node. We have gone to 50K in testing on some monster hardware.

  • by Fackamato (913248) on Wednesday January 08, 2014 @01:46PM (#45899393)

    ... no it's not shocking, you use the best tool for the job.

    • by mcgrew (92797) *

      Obviously this closed source software wasn't, in fact, the best tool for the job. If it were it wouldn't have been hacked.

      Honestly, there's so much good comparable open source software out there I'm flabbergasted that Suse uses closed source for it.

      • Just because something is the best tool for the job doesn't mean it's invulnerable. The best hammers can break even if all you're doing is pounding nails.

      • by amicusNYCL (1538833) on Wednesday January 08, 2014 @02:05PM (#45899629)

        Honestly, there's so much good comparable open source software out there I'm flabbergasted that Suse uses closed source for it.

        Just because they pay for a license doesn't mean they don't get the source code. The PHP code is right there if they want to go through it, vBulletin simply asks that people pay to use the software.

      • by poet (8021)

        Mcgrew,

        I would love for you to cite your comment with references to Open Source single sign-on software that is better than the closed source contenders. (I will grant you that it is ridiculous that they were using closed source bulletin board software).

        • by Kalriath (849904)

          Shibboleth? Hahahahaha... erm. I'll see myself out.

          But seriously, as another person mentioned, to SUSE, NetIQ Access Manager isn't closed source - it's their own product (well, made my another company in the same group).

          In terms of it being ridiculous that they were using a closed source bulletin board... why is that? They simply decided vBulletin was the best tool for the job, it's not like they were using vBulletin 5 or anything.

      • by exomondo (1725132)

        Obviously this closed source software wasn't, in fact, the best tool for the job. If it were it wouldn't have been hacked.

        So what bulletin board software is unhackable then?

    • by rujasu (3450319)
      ... which vBulletin 4.x clearly was not.
  • People seem to confuse those terms. AFAIK vBulletin is proprietary and charges a reasonable fee to use. I have no idea if the source is available but is appears to be mostly PHP, Javascript, and HTML - so maybe.
    • The system requirements only list various versions of PHP and MySQL. They don't say anything about requiring something to execute encrypted PHP source code, and they don't require any particular OS so it doesn't sound like they ship binaries.

      • by Kremmy (793693)
        Being a web application written in PHP, the very process of compiling to a binary is rarely ever even brought to the table. The source code is equivalent to the executable code in almost every one of those cases.
    • by Kalriath (849904)

      vBulletin comes with source. It does not utilise ionCube or Zend encoding.

  • Why are major linux distributions relying on proprietary software after the whole BitKeeper fiasco anyway?
    • Why would they demand that everything they use costs nothing? Who cares if they pay for the source code for vBulletin to run on their server?

      • by Anonymous Coward

        What does "proprietary" have to do with "costs nothing"?

        • by amicusNYCL (1538833) on Wednesday January 08, 2014 @02:33PM (#45899971)

          That's what I'm wondering. You pay vBulletin, they give you the source code of their application to run on your server. You've got the code, so why does it matter that they paid for it?

          • I know I'm late to the party, but I can't let this one slip :-). So, a bit of Free Software Philosophy 101 to serve up

            First off, Stallman's definitions of Software Freedoms [gnu.org]:

            1. The freedom to run the program, for any purpose (freedom 0).
            2. The freedom to study how the program works, and change it so it does your computing as you wish (freedom 1). Access to the source code is a precondition for this.
            3. The freedom to redistribute copies so you can help your neighbor (freedom 2).
            4. The freedom to distribute c
            • I'm not sure what the license actually says, so I'm not sure if they expressly disallow people from making changes or not. Practically, they couldn't do that, if they are distributing the code then people are able to change it. It might not make sense to change it if you're just going to update at some point in the future, but it's a possibility.

              Anyway, the reason I kept posting things like that was because people kept referring to the software as "closed-source" or something like that, when it's not. Th

      • by Kremmy (793693)
        "They who can give up essential liberty to obtain a little temporary safety, deserve neither liberty nor safety."

        That's kind of the point.
  • by jabberw0k (62554) on Wednesday January 08, 2014 @02:00PM (#45899557) Homepage Journal

    vBulletin is a proprietary forum software.

    No, vBulletin is a software package, or a program, or even "vBulletin is software" -- but never "a software." You don't have "a hardware" or "an information" or "a clothing" -- you have a piece of hardware, a piece of information, a piece of clothing, and a piece of software. Grammar check, please.

    • Re: (Score:1, Funny)

      by Anonymous Coward

      I have an information for you. It says a hardware may help you to by a clothing. But you'll need a software installed first.

    • So, YOU'RE the asshole TA from English comp who gave me that D...excuse me...gave me A D!

  • The mods on Ubuntu forums hand out refractions like there's no tomorrow. Anyone who has much as criticizes Unity or mentions the embeded sypware gets an immediate refraction.
    • by Dcnjoe60 (682885)

      The mods on Ubuntu forums hand out refractions like there's no tomorrow. Anyone who has much as criticizes Unity or mentions the embeded sypware gets an immediate refraction.

      If criticizing Ubuntu will get me a new tablet, sign me up! (Per wikipedia: " Refraction is essentially a surface phenomenon")

  • H4x0r HuSsY. You just can't make this stuff up.
  • OpenSuSE (Score:3, Informative)

    by JohnVanVliet (945577) on Wednesday January 08, 2014 @03:22PM (#45900463) Homepage

    as a long time OpenSuSE user the forum has beed a problem for a very long time
    Novel controls it
    NOT OPENSUSE !!!!!!

    and this has been a long standing problem for the site admins
    they really do not control it

    as in the VERY LONG STANDING issue of the code and font and css used for the forum topics
    one MUST turn off the min. size font used
    or use a 9 pt font

    that can ONLY be changed by Novel and NOT by the OpenSUSE forum

  • I'm just worried it would take lots of extra time and effort to type something like H4x0r HuSsY multiple times a day.
  • Shocking? (Score:5, Informative)

    by Dcnjoe60 (682885) on Wednesday January 08, 2014 @03:47PM (#45900679)

    It's shocking to learn that SUSE/openSUSE are using proprietary forum software vBulleting as well as proprietary single sign on solution.

    While vBulletin isn't under GPL, it is pretty liberal. You get the source code, you can modify and compile the source code, you may not redistribute it or remove the copyright notices. So, technically while not open source, your real limitation is in being allowed to redistribute it (not removing copyright is part of GPL, too).

    • by CastrTroy (595695) on Wednesday January 08, 2014 @04:59PM (#45901335) Homepage
      Actually, If you're given the source, and allowed to modify the source, and run the modified source, then it is for all intents and purposes open source. Just because you have to pay to have access to that, doesn't mean it's not open source. If there's a problem, you are still able to fix the problem yourself, which is the main tenet of open source software.
      • by Dcnjoe60 (682885)

        Actually, If you're given the source, and allowed to modify the source, and run the modified source, then it is for all intents and purposes open source. Just because you have to pay to have access to that, doesn't mean it's not open source. If there's a problem, you are still able to fix the problem yourself, which is the main tenet of open source software.

        You aren't free to redistribute the source, which is keeping it from being classified as open source, but otherwise, I agree, from the user perspective, it has all of the benefits of open source.

  • vBulletin has pretty much become crap since Internet Brands bought it. Even IPB would be a bit more tolerable...
  • by mrspoonsi (2955715) on Wednesday January 08, 2014 @04:48PM (#45901237)
    It was patched to 4.2.2 in October, 4.2.1 had serious issues, even with 4.2.2 there have been 2 security announcements to remove vulnerable files (which are not needed to run the forum).
  • by Anonymous Coward

    People need to stop using shit written in PHP,

    They got what they deserved, stupid bastards.

  • Used insecure proprietary software; got pwned. If the software has pretty GUIs and simple tools, that makes it nicer and easier for the hackers to pwn you.

    Best tool for the job? Not if its security sucks.

"It is easier to fight for principles than to live up to them." -- Alfred Adler

Working...