OpenSUSE Forums Defaced, Email Addresses Leaked 82
sfcrazy writes "The openSUSE Forums were hijacked yesterday. An alleged Pakistani hacker who goes by handle H4x0r HuSsY reportedly exploited a vulnerability in the vBulletin 4.2.1 software SuSE uses to host the forum. vBulletin is a proprietary forum software. The openSUSE team notes that user passwords were not compromised. 'Credentials for your openSUSE login are not saved in our application databases as we use a single-sign-on system (Access Manager from NetIQ) for all our services. This is a completely separate system and it has not been compromised by this crack. What the cracker reported as compromised passwords where indeed random, automatically set strings that are in no way connected to your real password.' It's shocking to learn that SUSE/openSUSE are using proprietary forum software vBulleting as well as proprietary single sign on solution."
SuSE was using vBulletin 4.x which has no known fix for the security hole, and they are leaving the forums offline for now. It seems likely they'll be upgrading to the 5.x series.
Shocked that a company uses a product? (Score:1, Insightful)
What, maybe they wanted to pay for something, rather than use the open-source alternative, which isn't always the best choice.
Re: (Score:1)
But vBulletin was? Holy shit, what are the alternatives?
Re: (Score:3, Informative)
vBulletin is pretty solid software from an end-user standpoint. It's more or less the standard interface that all other BB software emulates. Even if it's not perfect. It's also easy to administer and is ready to go out of the box. I've seen a lot of open source options that are similar, but vBulletin seems to do it best. I'm a little surprised that the OP would look down on a pretty standard product.
Re: (Score:1)
It sucks as a product in 2014, but it also scores as a 6.1 out of 10 on the "good enough"scale, which is why nobody has tried replacing it. It's also why apps like utorrent still exist.
Re: (Score:2)
No it doesn't. All the other database drivers were phased out (source: I was the poor bastard that maintained MSSQL for it).
Re: (Score:3)
I'm curious about the NetIQ Access Manager backend. If this is good enough to keep a dedicated intruder out, it might be worth footnoting this product for later use should the need arise to build a forum site for a small business.
Re: (Score:1)
Re: (Score:2, Interesting)
Not fully proprietary. One should also just note that SUSE, the parent for openSUSE, is fully owned by Attachmate Group. Attachmate Group acquired Novell and NetIQ. Novell Access Manager was rebranded (recently) to NetIQ Access Manager. SUSE doesn't pay a licensing fee to use software owned by their parent company and, while proprietary, is proprietary to themselves. vBulletin, on the other hand, is third party that they are likely paying a licensing fee for.
Re:Shocked that a company uses a product? (Score:4, Informative)
Access Manager is an extremely capable enterprise class single-sign-on product (It's the current incarnation of Novell's iChain SSO product). I'm using it here to protect about 30+ backed web-applications. I can do access restrictions based on LDAP group memberships, inject identity information in http headers, do behind the scenes form-fill login for applications that wouldn't know what SSO was if it fell on them and so much more. Currently just finished a Radius server integration for 2 factor auth. It's one of the two best pieces of enterprise software I've ever used. (Riverbed's Stingray appliance being the other).
Re: (Score:2)
I like the idea of having it in a separate product, on a separate server. Separation of duties 101. To boot, the product can use Google's Authenticator. This isn't the be all and end all in security, but it does provide the website designer with that ability to allow end users to use two factor authentication.
So far, I've done some work on an appliance that is essentially a separate box that stores username/password hash tuples, prohibits a wholesale dump of files (unless one physically attaches a usb fl
Access Manager (Score:2)
In this case it's even better. None of the user authentication data is on the NetIQ appliance. It's all stored on an LDAP server even further back behind additional firewalls.
About NetIQ Access Manager (Score:2)
NetIQ Access Manager is rock solid and massively scalable. I support multiple systems that use it for over 30 million users. Nothing better for web access management.
Re: (Score:1)
30 Million! My AM environment is serving barely 5K. I'd love to get some details on your infrastructure. How many IDPs and AGs are you running?
Re: (Score:2)
Please contact me directly at jcombs@pointbluetech.com and I'll answer any questions you might have. Running the 3.2+ version of the gateway on Linux we have been able to run over 30K concurrent sessions on a single node. We have gone to 50K in testing on some monster hardware.
SUSE/openSUSE using proprietrary software (Score:3)
... no it's not shocking, you use the best tool for the job.
Re: (Score:2)
Obviously this closed source software wasn't, in fact, the best tool for the job. If it were it wouldn't have been hacked.
Honestly, there's so much good comparable open source software out there I'm flabbergasted that Suse uses closed source for it.
Re: (Score:3)
Just because something is the best tool for the job doesn't mean it's invulnerable. The best hammers can break even if all you're doing is pounding nails.
Re:SUSE/openSUSE using proprietrary software (Score:4, Informative)
Honestly, there's so much good comparable open source software out there I'm flabbergasted that Suse uses closed source for it.
Just because they pay for a license doesn't mean they don't get the source code. The PHP code is right there if they want to go through it, vBulletin simply asks that people pay to use the software.
Re: (Score:2)
Mcgrew,
I would love for you to cite your comment with references to Open Source single sign-on software that is better than the closed source contenders. (I will grant you that it is ridiculous that they were using closed source bulletin board software).
Re: (Score:2)
Shibboleth? Hahahahaha... erm. I'll see myself out.
But seriously, as another person mentioned, to SUSE, NetIQ Access Manager isn't closed source - it's their own product (well, made my another company in the same group).
In terms of it being ridiculous that they were using a closed source bulletin board... why is that? They simply decided vBulletin was the best tool for the job, it's not like they were using vBulletin 5 or anything.
Re: (Score:1)
Obviously this closed source software wasn't, in fact, the best tool for the job. If it were it wouldn't have been hacked.
So what bulletin board software is unhackable then?
Re: (Score:1)
Proprietary, No Cost, Open Source (Score:2)
Re: (Score:2)
The system requirements only list various versions of PHP and MySQL. They don't say anything about requiring something to execute encrypted PHP source code, and they don't require any particular OS so it doesn't sound like they ship binaries.
Re: (Score:2)
Re: (Score:2)
vBulletin comes with source. It does not utilise ionCube or Zend encoding.
vBulletin has been a security risk for ages. (Score:1)
Re: (Score:3)
Why would they demand that everything they use costs nothing? Who cares if they pay for the source code for vBulletin to run on their server?
Re: (Score:2)
What does "proprietary" have to do with "costs nothing"?
Re:vBulletin has been a security risk for ages. (Score:4, Informative)
That's what I'm wondering. You pay vBulletin, they give you the source code of their application to run on your server. You've got the code, so why does it matter that they paid for it?
Just cause you have the source don't make it free (Score:2)
I know I'm late to the party, but I can't let this one slip :-). So, a bit of Free Software Philosophy 101 to serve up
First off, Stallman's definitions of Software Freedoms [gnu.org]:
Re: (Score:2)
I'm not sure what the license actually says, so I'm not sure if they expressly disallow people from making changes or not. Practically, they couldn't do that, if they are distributing the code then people are able to change it. It might not make sense to change it if you're just going to update at some point in the future, but it's a possibility.
Anyway, the reason I kept posting things like that was because people kept referring to the software as "closed-source" or something like that, when it's not. Th
Re: (Score:1)
That's kind of the point.
Ugh, not "a software" again (Score:5, Funny)
No, vBulletin is a software package, or a program, or even "vBulletin is software" -- but never "a software." You don't have "a hardware" or "an information" or "a clothing" -- you have a piece of hardware, a piece of information, a piece of clothing, and a piece of software. Grammar check, please.
Re: (Score:1, Funny)
I have an information for you. It says a hardware may help you to by a clothing. But you'll need a software installed first.
Re: (Score:3)
So, YOU'RE the asshole TA from English comp who gave me that D...excuse me...gave me A D!
Pity it wasn't Ubuntu Forums (again) (Score:1, Offtopic)
Re: (Score:2)
The mods on Ubuntu forums hand out refractions like there's no tomorrow. Anyone who has much as criticizes Unity or mentions the embeded sypware gets an immediate refraction.
If criticizing Ubuntu will get me a new tablet, sign me up! (Per wikipedia: " Refraction is essentially a surface phenomenon")
OMG That's Precious (Score:2)
Re: (Score:2)
HuSsY H4x0r
.
OpenSuSE (Score:3, Informative)
as a long time OpenSuSE user the forum has beed a problem for a very long time
Novel controls it
NOT OPENSUSE !!!!!!
and this has been a long standing problem for the site admins
they really do not control it
as in the VERY LONG STANDING issue of the code and font and css used for the forum topics
one MUST turn off the min. size font used
or use a 9 pt font
that can ONLY be changed by Novel and NOT by the OpenSUSE forum
I need a h@cX#r name. (Score:2)
Shocking? (Score:5, Informative)
It's shocking to learn that SUSE/openSUSE are using proprietary forum software vBulleting as well as proprietary single sign on solution.
While vBulletin isn't under GPL, it is pretty liberal. You get the source code, you can modify and compile the source code, you may not redistribute it or remove the copyright notices. So, technically while not open source, your real limitation is in being allowed to redistribute it (not removing copyright is part of GPL, too).
Re:Shocking? (Score:4)
Re: (Score:2)
Actually, If you're given the source, and allowed to modify the source, and run the modified source, then it is for all intents and purposes open source. Just because you have to pay to have access to that, doesn't mean it's not open source. If there's a problem, you are still able to fix the problem yourself, which is the main tenet of open source software.
You aren't free to redistribute the source, which is keeping it from being classified as open source, but otherwise, I agree, from the user perspective, it has all of the benefits of open source.
Re: (Score:2)
Actually, I don't think redistribution rights are a requirement of Open Source, only of Free/Libre Software.
Re: (Score:3)
Funny, because redistribution is listed as point one in the Open Source Definition [opensource.org].
Re: (Score:2)
Fair enough, it appears I'm wrong on that.
Well... (Score:1)
Re: (Score:1)
Send in the Drones
i read that and thought you were talking about democratic party voters
4.2.1 was old (Score:3)
PHP drrrp (Score:1)
People need to stop using shit written in PHP,
They got what they deserved, stupid bastards.
Re: (Score:1)