Apache falls victim to JIRA XSS exploit

Posted on April 13, 2010

Anyone with an issues.apache.org account is probably already aware there is an exploit out there for JIRA. Apache and Atlassian have both had servers compromised.

More info: https://blogs.apache.org/infra/entry/apache_org_04_09_2010

If you’ve signed up for a public JIRA server (or run one) and it wasn’t a password you only used for that, you should probably think about proactively changing it anywhere else you use it.

The passwords are hashed, but JIRA uses a random site wide salt, so it’ll take time but eventually they could figure them all out.

It’s actually could have been a pretty clever exploit, go after developers who are more likely to have accounts with one of the cloud providers. Use the accounts to launch instances and use the instances to generate password tables, compromise more accounts, launch more instances….

I’m lazy and the password I used on the Apache JIRA was one I used a few other places. I knew it was a bad idea, but I did it anyway. I’ve learned my lesson and spent the whole night changing my passwords and getting them all in 1password on my mac on iphone.

There’s no reason to believe that my password has been compromised yet, but it’s better to be safe than sorry. Now my passwords are all randomly generated, really long with letters, numbers and symbols.

Another Open Source Library.

Posted on April 6, 2010

I’m having a bit of a clear out, taking a look at some of the code I’ve written and I’ve been pushing some of the stuff I’m currently using up to GitHub under and Apache 2 licence. I’ve used things in Announce.ly, Sproozi and some other small projects and figure they may be useful to someone else. My only criteria has been to ask If I’m using it now in a project, if so I’m actively supporting it and I’ve started pushing that stuff to GitHub, everything else is dormant and I don’t want to release something I’m not actively supporting- it also occurs to me that if even I’m not using it, it can’t be all that worthwhile.

I’ve just pushed some code I’ve been testing for a few months in a couple of projects to GitHub. It’s an accounts package written for Spring, that ties my oAuth library and Twitter together with either Hibernate or Hbase as backend storage. In it’s simplest form when you login with twitter it creates you a new user and persists it and the oAuth access tokens you need to act on behalf of that user.

I’ll write some more about it, better documentation and probably throw a little more code up on GitHub over the course of the next couple of weeks as and when I get a chance.