Mailinglist Archive: opensuse (1420 mails)

< Previous Next >
[opensuse] Re: forums.opensuse.org down?
  • From: Jim Henderson <hendersj@xxxxxxxxx>
  • Date: Wed, 8 Jan 2014 05:57:13 +0000 (UTC)
  • Message-id: <laipbo$o7a$2@ger.gmane.org>
On Wed, 08 Jan 2014 00:57:46 -0300, Cristian Rodríguez wrote:

El 07/01/14 22:51, Jim Henderson escribió:

If he were, he'd have told vBulletin of the exploit. The exploit is
described as a "private exploit," which to me says he's not disclosed
it.

It really does not matter much, the attacker was able to go way too far
in the first place. Yes..the vector is the forum software, why the
payload ran without resistance all the way till gaining a shell as the
apache user is the question that need answer on this side of the road.

Because that's the nature of having a public website. You're vulnerable
to potential exploits in third party code.

The actual bug in this kind of PHP bulletin boards should be from
trivial to moderately easy to find and fix. Since this is a commercial
app, that's up to the vendor to figure out.

Sure, but it isn't necessarily just in PHP code, it could be in the
interpreter as well. I've seen that happen.

Security audits of code should happen (I agree), but this hacker took the
approach of taking down an open source project's forums. If they wanted
to get noticed, I can think of at least one set of forums that would be a
better target and would get *immediate* attention.

Jim

--
Jim Henderson
Please keep on-topic replies on the list so everyone benefits

--
To unsubscribe, e-mail: opensuse+unsubscribe@xxxxxxxxxxxx
To contact the owner, e-mail: opensuse+owner@xxxxxxxxxxxx

< Previous Next >