OpenSUSE forums defaced via unknown vBulletin 0-day
Posted on 08 January 2014.
The official forums of the openSUSE Linux distribution have been hacked and defaced by a Pakistani hacker that goes by the handle "H4x0r HuSsY."

According to THN, the hacker has defaced the site and downloaded a database containing information about nearly 80,000 forum users, and did so by using a private vBulletin zero-day exploit that allowed him to browse, read or write / overwrite any file on the Forum server without root privileges.

The exploit apparently takes advantage of a flaw present in the vBulletin version used for the openSUSE forums (4.2.1), but also the latest version of the online forum software package (5.0.5).

The hacker claims that the user database he managed to get his hands on contains usernames, passwords and email addresses, and has posted a redacted screenshot of it to prove his claim.

But openSUSE admins claim that passwords have not been compromised.

"Credentials for your openSUSE login are not saved in our application databases as we use a single-sign-on system (Access Manager from NetIQ) for all our services. This is a completely separate system and it has not been compromised by this crack," they explained in a blog post. "What the cracker reported as compromised passwords where indeed random, automatically set strings that are in no way connected to your real password."

Still, the local database did contain users' email addresses.

They also announced that the forums will be taken offline until a fix or a workaround for the exploited flaw is found.

vBulletin is an extremely popular forum software package and is used by many large web forums, and their admins might want to consider doing the same.









Spotlight

Whitepaper: Zero Trust approach to network security

Posted on 20 November 2014.  |  Zero Trust is an alternative security model that addresses the shortcomings of failing perimeter-centric strategies by removing the assumption of trust.


Weekly newsletter

Reading our newsletter every Monday will keep you up-to-date with security news.
  



Daily digest

Receive a daily digest of the latest security news.
  

DON'T
MISS

Fri, Nov 21st
    COPYRIGHT 1998-2014 BY HELP NET SECURITY.   // READ OUR PRIVACY POLICY // ABOUT US // ADVERTISE //