×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

OpenSUSE Forums Defaced, Email Addresses Leaked

Unknown Lamer posted about 3 months ago | from the should've-used-slash dept.

SuSE 82

sfcrazy writes "The openSUSE Forums were hijacked yesterday. An alleged Pakistani hacker who goes by handle H4x0r HuSsY reportedly exploited a vulnerability in the vBulletin 4.2.1 software SuSE uses to host the forum. vBulletin is a proprietary forum software. The openSUSE team notes that user passwords were not compromised. 'Credentials for your openSUSE login are not saved in our application databases as we use a single-sign-on system (Access Manager from NetIQ) for all our services. This is a completely separate system and it has not been compromised by this crack. What the cracker reported as compromised passwords where indeed random, automatically set strings that are in no way connected to your real password.' It's shocking to learn that SUSE/openSUSE are using proprietary forum software vBulleting as well as proprietary single sign on solution." SuSE was using vBulletin 4.x which has no known fix for the security hole, and they are leaving the forums offline for now. It seems likely they'll be upgrading to the 5.x series.

cancel ×
This is a preview of your comment

No Comment Title Entered

Anonymous Coward 1 minute ago

No Comment Entered

82 comments

Shocked that a company uses a product? (1, Insightful)

Anonymous Coward | about 3 months ago | (#45899331)

What, maybe they wanted to pay for something, rather than use the open-source alternative, which isn't always the best choice.

Re:Shocked that a company uses a product? (0)

0racle (667029) | about 3 months ago | (#45899483)

which isn't always the best choice

But vBulletin was? Holy shit, what are the alternatives?

Re:Shocked that a company uses a product? (2, Informative)

Hadlock (143607) | about 3 months ago | (#45899505)

vBulletin is pretty solid software from an end-user standpoint. It's more or less the standard interface that all other BB software emulates. Even if it's not perfect. It's also easy to administer and is ready to go out of the box. I've seen a lot of open source options that are similar, but vBulletin seems to do it best. I'm a little surprised that the OP would look down on a pretty standard product.

Re:Shocked that a company uses a product? (0)

Anonymous Coward | about 3 months ago | (#45899733)

I'm a little surprised that the OP would look down on a pretty standard product.

He should; vBulletin sucks. Granted, everything else sucks worse, but that's like saying, "I'm surprised anybody looks down on Murrica for having a massive number of incarcerated citizens, what with North Korea around and all."

Re:Shocked that a company uses a product? (0)

Hadlock (143607) | about 3 months ago | (#45901651)

It sucks as a product in 2014, but it also scores as a 6.1 out of 10 on the "good enough"scale, which is why nobody has tried replacing it. It's also why apps like utorrent still exist.

Re:Shocked that a company uses a product? (0)

Anonymous Coward | about 3 months ago | (#45903267)

In my experience, among the paid options, vBulletin sucks more than the alternatives. Invision Power Board is a relatively blissful experience.

Re:Shocked that a company uses a product? (0)

Anonymous Coward | about 3 months ago | (#45903293)

Also of note, IPB officially supports (though at additional cost) databases that aren't MyShitQuality.

Re:Shocked that a company uses a product? (1)

Kalriath (849904) | about 3 months ago | (#45903531)

No it doesn't. All the other database drivers were phased out (source: I was the poor bastard that maintained MSSQL for it).

Re:Shocked that a company uses a product? (2)

mlts (1038732) | about 3 months ago | (#45899977)

I'm curious about the NetIQ Access Manager backend. If this is good enough to keep a dedicated intruder out, it might be worth footnoting this product for later use should the need arise to build a forum site for a small business.

Re:Shocked that a company uses a product? (1)

Allan Jude (3433497) | about 3 months ago | (#45900183)

The attacker in this case was only armed with a known exploit for vBulletin. I am guessing they didn't even know NetIQ was there. Using any external authentication system would be a benefit in the case of a vBulletin exploit, as vBulletin is going to give the attacker full access to your SQL database, so having your passwords stored somewhere else, will require the attacker to be more than a run-of-the-mill website defacer.

Re:Shocked that a company uses a product? (2, Interesting)

Anonymous Coward | about 3 months ago | (#45900603)

Not fully proprietary. One should also just note that SUSE, the parent for openSUSE, is fully owned by Attachmate Group. Attachmate Group acquired Novell and NetIQ. Novell Access Manager was rebranded (recently) to NetIQ Access Manager. SUSE doesn't pay a licensing fee to use software owned by their parent company and, while proprietary, is proprietary to themselves. vBulletin, on the other hand, is third party that they are likely paying a licensing fee for.

Re:Shocked that a company uses a product? (4, Informative)

MechanicJay (1206650) | about 3 months ago | (#45900587)

Access Manager is an extremely capable enterprise class single-sign-on product (It's the current incarnation of Novell's iChain SSO product). I'm using it here to protect about 30+ backed web-applications. I can do access restrictions based on LDAP group memberships, inject identity information in http headers, do behind the scenes form-fill login for applications that wouldn't know what SSO was if it fell on them and so much more. Currently just finished a Radius server integration for 2 factor auth. It's one of the two best pieces of enterprise software I've ever used. (Riverbed's Stingray appliance being the other).

Re:Shocked that a company uses a product? (1)

mlts (1038732) | about 3 months ago | (#45900779)

I like the idea of having it in a separate product, on a separate server. Separation of duties 101. To boot, the product can use Google's Authenticator. This isn't the be all and end all in security, but it does provide the website designer with that ability to allow end users to use two factor authentication.

So far, I've done some work on an appliance that is essentially a separate box that stores username/password hash tuples, prohibits a wholesale dump of files (unless one physically attaches a usb flash drive), and handles the lockouts on the appliance end, so even if the web app and DB got hacked, the username/passwords are out of reach, barring a physical intrusion. However, something like this product stated above seems to do what I've been doing on an amateur level a lot better.

Access Manager (1)

LDAPMAN (930041) | about 3 months ago | (#45902357)

In this case it's even better. None of the user authentication data is on the NetIQ appliance. It's all stored on an LDAP server even further back behind additional firewalls.

About NetIQ Access Manager (1)

LDAPMAN (930041) | about 3 months ago | (#45902345)

NetIQ Access Manager is rock solid and massively scalable. I support multiple systems that use it for over 30 million users. Nothing better for web access management.

Re:About NetIQ Access Manager (1)

MechanicJay (1206650) | about 3 months ago | (#45906645)

30 Million! My AM environment is serving barely 5K. I'd love to get some details on your infrastructure. How many IDPs and AGs are you running?

Re:About NetIQ Access Manager (1)

LDAPMAN (930041) | about 3 months ago | (#45910423)

Please contact me directly at jcombs@pointbluetech.com and I'll answer any questions you might have. Running the 3.2+ version of the gateway on Linux we have been able to run over 30K concurrent sessions on a single node. We have gone to 50K in testing on some monster hardware.

Re:Shocked that a company uses a product? (0)

Anonymous Coward | about 3 months ago | (#45904329)

They could have paid for Lithium or Jive and just let someone else manage them.

Re:Shocked that a company uses a product? (0)

Anonymous Coward | about 3 months ago | (#45900777)

add to that, that some of the biggest, busiest forums on the interwebs use vbulletin, including ubuntuforums.com and forums.steampowered.com. that fact that opensuse uses it is hardly "shocking" - the TFA, which the slashdot summary simply copies, is just trying to create controversy where none need exist

SUSE/openSUSE using proprietrary software (2)

Fackamato (913248) | about 3 months ago | (#45899393)

... no it's not shocking, you use the best tool for the job.

Re:SUSE/openSUSE using proprietrary software (1)

mcgrew (92797) | about 3 months ago | (#45899453)

Obviously this closed source software wasn't, in fact, the best tool for the job. If it were it wouldn't have been hacked.

Honestly, there's so much good comparable open source software out there I'm flabbergasted that Suse uses closed source for it.

Re:SUSE/openSUSE using proprietrary software (2)

SJHillman (1966756) | about 3 months ago | (#45899579)

Just because something is the best tool for the job doesn't mean it's invulnerable. The best hammers can break even if all you're doing is pounding nails.

Re:SUSE/openSUSE using proprietrary software (3, Informative)

amicusNYCL (1538833) | about 3 months ago | (#45899629)

Honestly, there's so much good comparable open source software out there I'm flabbergasted that Suse uses closed source for it.

Just because they pay for a license doesn't mean they don't get the source code. The PHP code is right there if they want to go through it, vBulletin simply asks that people pay to use the software.

Re:SUSE/openSUSE using proprietrary software (1)

poet (8021) | about 3 months ago | (#45899857)

Mcgrew,

I would love for you to cite your comment with references to Open Source single sign-on software that is better than the closed source contenders. (I will grant you that it is ridiculous that they were using closed source bulletin board software).

Re:SUSE/openSUSE using proprietrary software (1)

Kalriath (849904) | about 3 months ago | (#45903549)

Shibboleth? Hahahahaha... erm. I'll see myself out.

But seriously, as another person mentioned, to SUSE, NetIQ Access Manager isn't closed source - it's their own product (well, made my another company in the same group).

In terms of it being ridiculous that they were using a closed source bulletin board... why is that? They simply decided vBulletin was the best tool for the job, it's not like they were using vBulletin 5 or anything.

Re:SUSE/openSUSE using proprietrary software (0)

Anonymous Coward | about 3 months ago | (#45900395)

Nothing is unhackable, hard to do maybe, but not impossible.

Re:SUSE/openSUSE using proprietrary software (0)

exomondo (1725132) | about 3 months ago | (#45904515)

Obviously this closed source software wasn't, in fact, the best tool for the job. If it were it wouldn't have been hacked.

So what bulletin board software is unhackable then?

Re:SUSE/openSUSE using proprietrary software (0)

Anonymous Coward | about 3 months ago | (#45899631)

Which is *never* Linux in the wake OS X and Windows 7 not sucking.

Re:SUSE/openSUSE using proprietrary software (0)

Anonymous Coward | about 3 months ago | (#45900533)

No, it's not surprising. SUSE is in bed with Micro$oft. https://en.wikipedia.org/wiki/Suse_linux#Microsoft_agreement [wikipedia.org]

Re:SUSE/openSUSE using proprietrary software (0)

Anonymous Coward | about 3 months ago | (#45900801)

Because Microsoft makes vBulletin?

Re:SUSE/openSUSE using proprietrary software (0)

Anonymous Coward | about 3 months ago | (#45901449)

SUSE != openSUSE

It is not like Fedora, nor is it like Centos.

Re:SUSE/openSUSE using proprietrary software (-1)

Anonymous Coward | about 3 months ago | (#45904539)

I was wondering how long it would take the retards of the FOSS community (no not all of them are retards, just a select few like you) to blame this on Microsoft.

Proprietary, No Cost, Open Source (1)

tomhath (637240) | about 3 months ago | (#45899473)

People seem to confuse those terms. AFAIK vBulletin is proprietary and charges a reasonable fee to use. I have no idea if the source is available but is appears to be mostly PHP, Javascript, and HTML - so maybe.

Re:Proprietary, No Cost, Open Source (1)

amicusNYCL (1538833) | about 3 months ago | (#45899575)

The system requirements only list various versions of PHP and MySQL. They don't say anything about requiring something to execute encrypted PHP source code, and they don't require any particular OS so it doesn't sound like they ship binaries.

Re:Proprietary, No Cost, Open Source (2)

Kremmy (793693) | about 3 months ago | (#45899895)

Being a web application written in PHP, the very process of compiling to a binary is rarely ever even brought to the table. The source code is equivalent to the executable code in almost every one of those cases.

Re:Proprietary, No Cost, Open Source (0)

Anonymous Coward | about 3 months ago | (#45904341)

Anything that lists MySQL as a requirement should simply not be used.

Re:Proprietary, No Cost, Open Source (1)

Kalriath (849904) | about 3 months ago | (#45903557)

vBulletin comes with source. It does not utilise ionCube or Zend encoding.

vbulletin has been going down the drain for.. (0)

Anonymous Coward | about 3 months ago | (#45899479)

vbulletin has been going down the drain for years already. this isn't surprising to say the least.

vBulletin has been a security risk for ages. (1)

Kremmy (793693) | about 3 months ago | (#45899489)

Why are major linux distributions relying on proprietary software after the whole BitKeeper fiasco anyway?

Re:vBulletin has been a security risk for ages. (2)

amicusNYCL (1538833) | about 3 months ago | (#45899591)

Why would they demand that everything they use costs nothing? Who cares if they pay for the source code for vBulletin to run on their server?

Re:vBulletin has been a security risk for ages. (2)

Anonymous Coward | about 3 months ago | (#45899773)

What does "proprietary" have to do with "costs nothing"?

Re:vBulletin has been a security risk for ages. (3, Informative)

amicusNYCL (1538833) | about 3 months ago | (#45899971)

That's what I'm wondering. You pay vBulletin, they give you the source code of their application to run on your server. You've got the code, so why does it matter that they paid for it?

Re:vBulletin has been a security risk for ages. (0)

Anonymous Coward | about 3 months ago | (#45900517)

That's what I'm wondering

So why did you address your GP reply to the GGP, since nobody in this conversation sees any relation between the two questions?

Just cause you have the source don't make it free (1)

taikedz (2782065) | about 3 months ago | (#46034259)

I know I'm late to the party, but I can't let this one slip :-). So, a bit of Free Software Philosophy 101 to serve up

First off, Stallman's definitions of Software Freedoms [gnu.org] :

  1. The freedom to run the program, for any purpose (freedom 0).
  2. The freedom to study how the program works, and change it so it does your computing as you wish (freedom 1). Access to the source code is a precondition for this.
  3. The freedom to redistribute copies so you can help your neighbor (freedom 2).
  4. The freedom to distribute copies of your modified versions to others (freedom 3). By doing this you can give the whole community a chance to benefit from your changes. Access to the source code is a precondition for this.

Secondly the consequence: Nobody but vBulletin is allowed to patch the hole, from a legal standpoint, lacking freedom 1, and thus lacking freedoms 2 and 3. Legally, SUSE cannot modify/improve/patch the software - they can only purchase upgrades.

I leave this here, you know, just in case.

Re:Just cause you have the source don't make it fr (1)

amicusNYCL (1538833) | about 3 months ago | (#46037277)

I'm not sure what the license actually says, so I'm not sure if they expressly disallow people from making changes or not. Practically, they couldn't do that, if they are distributing the code then people are able to change it. It might not make sense to change it if you're just going to update at some point in the future, but it's a possibility.

Anyway, the reason I kept posting things like that was because people kept referring to the software as "closed-source" or something like that, when it's not. The source is open, it's just not free. The major difference between vBulletin and any other open-source PHP project is the license, that's it. It's open-source software that isn't free (both kinds).

Re:vBulletin has been a security risk for ages. (1)

Kremmy (793693) | about 3 months ago | (#45899829)

"They who can give up essential liberty to obtain a little temporary safety, deserve neither liberty nor safety."

That's kind of the point.

Ugh, not "a software" again (4, Funny)

jabberw0k (62554) | about 3 months ago | (#45899557)

vBulletin is a proprietary forum software.

No, vBulletin is a software package, or a program, or even "vBulletin is software" -- but never "a software." You don't have "a hardware" or "an information" or "a clothing" -- you have a piece of hardware, a piece of information, a piece of clothing, and a piece of software. Grammar check, please.

Re:Ugh, not "a software" again (1, Funny)

Anonymous Coward | about 3 months ago | (#45899821)

I have an information for you. It says a hardware may help you to by a clothing. But you'll need a software installed first.

Re:Ugh, not "a software" again (0)

Anonymous Coward | about 3 months ago | (#45901693)

Don't forget a hot piece of ass.

Pity it wasn't Ubuntu Forums (again) (1, Offtopic)

johnsie (1158363) | about 3 months ago | (#45899619)

The mods on Ubuntu forums hand out refractions like there's no tomorrow. Anyone who has much as criticizes Unity or mentions the embeded sypware gets an immediate refraction.

Re:Pity it wasn't Ubuntu Forums (again) (0)

Anonymous Coward | about 3 months ago | (#45899779)

"Infraction" is probably the word you were intending to use.

Re:Pity it wasn't Ubuntu Forums (again) (1)

Dcnjoe60 (682885) | about 3 months ago | (#45900733)

The mods on Ubuntu forums hand out refractions like there's no tomorrow. Anyone who has much as criticizes Unity or mentions the embeded sypware gets an immediate refraction.

If criticizing Ubuntu will get me a new tablet, sign me up! (Per wikipedia: " Refraction is essentially a surface phenomenon")

Re:Pity it wasn't Ubuntu Forums (again) (0)

Anonymous Coward | about 3 months ago | (#45901459)

The mods on Ubuntu forums hand out refractions like there's no tomorrow.

Hand out refractions?? Your comment makes no sense at all. Got a loose diode there, Watson?

OSS FTW (0)

Anonymous Coward | about 3 months ago | (#45899947)

I always choose an OSS product, even if it means I get less functionality. Another thing I've noticed of late is more and more developers I keep up with are moving towards the BSD license. Are you guys seeing this? This is happening in the US as well as the EU. It's an interesting trend.

H4x0r HuSsY... you are a D-Wad... (0)

Anonymous Coward | about 3 months ago | (#45900039)

I know how to jimmy my neighbors windows open but that does not make it OK to do so. H4x0r HuSsY... you are a D-Wad...

OpenSuSE (2, Informative)

JohnVanVliet (945577) | about 3 months ago | (#45900463)

as a long time OpenSuSE user the forum has beed a problem for a very long time
Novel controls it
NOT OPENSUSE !!!!!!

and this has been a long standing problem for the site admins
they really do not control it

as in the VERY LONG STANDING issue of the code and font and css used for the forum topics
one MUST turn off the min. size font used
or use a 9 pt font

that can ONLY be changed by Novel and NOT by the OpenSUSE forum

Re:OpenSuSE (0)

Anonymous Coward | about 3 months ago | (#45901061)

It might help if you spelt the company name correctly. It's NOVELL, 2 L's...

I need a h@cX#r name. (1)

csumpi (2258986) | about 3 months ago | (#45900497)

I'm just worried it would take lots of extra time and effort to type something like H4x0r HuSsY multiple times a day.

But how did these get indexed? (0)

Anonymous Coward | about 3 months ago | (#45900569)

Same thing to this one:
https://www.google.com/search?q="You+have+registered+the+following+telephone+number+in+the+National+Do+Not+Call+Registry"

How can Google index a page that is not linked anywhere?

Shocking? (4, Informative)

Dcnjoe60 (682885) | about 3 months ago | (#45900679)

It's shocking to learn that SUSE/openSUSE are using proprietary forum software vBulleting as well as proprietary single sign on solution.

While vBulletin isn't under GPL, it is pretty liberal. You get the source code, you can modify and compile the source code, you may not redistribute it or remove the copyright notices. So, technically while not open source, your real limitation is in being allowed to redistribute it (not removing copyright is part of GPL, too).

Re:Shocking? (3)

CastrTroy (595695) | about 3 months ago | (#45901335)

Actually, If you're given the source, and allowed to modify the source, and run the modified source, then it is for all intents and purposes open source. Just because you have to pay to have access to that, doesn't mean it's not open source. If there's a problem, you are still able to fix the problem yourself, which is the main tenet of open source software.

Re:Shocking? (1)

Dcnjoe60 (682885) | about 3 months ago | (#45901605)

Actually, If you're given the source, and allowed to modify the source, and run the modified source, then it is for all intents and purposes open source. Just because you have to pay to have access to that, doesn't mean it's not open source. If there's a problem, you are still able to fix the problem yourself, which is the main tenet of open source software.

You aren't free to redistribute the source, which is keeping it from being classified as open source, but otherwise, I agree, from the user perspective, it has all of the benefits of open source.

Re:Shocking? (0)

Anonymous Coward | about 3 months ago | (#45902479)

Access Manager was a Novell product, Novell purchased SuSE, NetIQ purchased Novell. Not so surprising to me.

Well... (1)

Lirodon (2847623) | about 3 months ago | (#45900715)

vBulletin has pretty much become crap since Internet Brands bought it. Even IPB would be a bit more tolerable...

Send in the Drones (0)

Anonymous Coward | about 3 months ago | (#45901039)

It is time the United States of America sends UAVs into Pakistan to wipe this H4x0r HuSsY off the planet. What? You were thinking the same thing when you realized this Paki must be a terrorist. "Die. Die. Die." as the Daleks say.

Re:Send in the Drones (1)

crutchy (1949900) | about 3 months ago | (#45904721)

Send in the Drones

i read that and thought you were talking about democratic party voters

4.2.1 was old (2)

mrspoonsi (2955715) | about 3 months ago | (#45901237)

It was patched to 4.2.2 in October, 4.2.1 had serious issues, even with 4.2.2 there have been 2 security announcements to remove vulnerable files (which are not needed to run the forum).

Re:4.2.1 was old (0)

Anonymous Coward | about 3 months ago | (#45904403)

4.2.1 and 4.2.2 both had the same basic security issue.
There was a hack available if the installation directory was left publicly accessible after install/upgrade.
The fix: 1) delete it; or 2) protect it with .htaccess
This is well known and the admin would have got an email.

Both 4.2.1 and 4.2.2 latest releases are secure unless you have a faulty 3rd party add-on.

The site admins should have contacted vB for support.
FYI I am the admin for a 1m post / 20k member vB site.
4.2.2 was a maintenance release supporting PHP 5.4

PHP drrrp (1)

Anonymous Coward | about 3 months ago | (#45901415)

People need to stop using shit written in PHP,

They got what they deserved, stupid bastards.

Again! Crap. Checking... Checking... (0)

Anonymous Coward | about 3 months ago | (#45902069)

Another website intrusion leaking the personal data that they insisted on before allowing me access. I'm about sick of this crap.

Which of my email addresses did they get? Checking... Checking... Oh, yea. It was a throwaway.

Really? (0)

Anonymous Coward | about 3 months ago | (#45904881)

I have a hard time believing that there's anyone in Pakistan that actually owns a computer, let alone knows how to find and run script-kiddie scripts. I mean that country seems full of people so mind-boggling stupid that it's a wonder they know how to eat, breathe and procreate. Yes, I know they allegedly have nuclear weapons but how can they have smart people in a place so full of seemingly retarded people living so deep in the dark ages that cavemen seems sophisticated in comparison. It boggles the mind.

Okay, yes I guess there must be exceptions to the rule but while they may be smart in some ways, they're clearly not smart enough to get rid of all the stupid people grabbing the international headlines by doing something ridiculous on a daily basis.

I'm sorry, but as long at you allow crazed-looking bearded toothless men waving Korans and AK47's yelling "Down with USA!" to fill the streets, you're just not going to get any respect whatsoever. And as long as these people hide internationally wanted terrorists, the US is going to hit them with drones and Hellfire missiles in order to do something about the menace they cause. I'm sure the US government is sorry about any collateral damage but when they're hiding behind women and children, someone else is bound to get hurt on the way. Unfortunately for their women and children they're all about yelling and posing but deep within they're just sad cowards that are not men enough to stand tall and fight fair, and thus they deserve what they get.

don't care? (0)

Anonymous Coward | about 3 months ago | (#45905679)

Shitty Linux.. Novell and Canonical can blow my dog.

Hahahaha!! (1)

matbury (3458347) | about 3 months ago | (#45908927)

Used insecure proprietary software; got pwned. If the software has pretty GUIs and simple tools, that makes it nicer and easier for the hackers to pwn you.

Best tool for the job? Not if its security sucks.
Check for New Comments
Slashdot Account

Need an Account?

Forgot your password?

Don't worry, we never post anything without your permission.

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>
Sign up for Slashdot Newsletters
Create a Slashdot Account

Loading...