Hackers have exploited an XSS flaw in Atlassian's JIRA software to compromise the Apache Software Foundation's infrastructure and capture passwords of its developers.
The attack occurred between 5 and 9 April, and resulted in the Apache infrastructure team having to take its JIRA, Bugzilla and Confluence services offline, a post on the Apache Infrastructure Blog has detailed.
"The attackers must be presumed to have copies of our Confluence and Bugzilla databases, as well as our JIRA database, at this point. These databases include hashes of all passwords used on those systems. However, other services and hosts, including LDAP, were largely unaffected," the post said.
Atlassian have patched the JIRA issue and Apache's JIRA and Bugzilla instances are back online, although Confluence is still down as at the time of writing. The Atlassian software was donated to the Apache Foundation to track issues and requests.
The Australian collaborative software maker was in hot water earlier this week as it told its customers to reset their passwords after a deprecated database table contained plain-text copies of users' password.
How the hackers got in
The hackers use a compromised Slicehost server to open an issue that said: "ive got this error while browsing some projects in jira http://tinyurl.com/XXXXXXXXX [obscured]".
Session cookies were able to be stolen from logged-in JIRA users by using the malicious URL, taking advantage of TinyURL to mask the URL's XSS intentions. Several Apache infrastructure administrators clicked on the link and had their sessions compromised including their JIRA administrator rights. At the same time, a brute force attack was launched against JIRA's log-in page — and gained JIRA administrator rights the next day.
Once the hackers had JIRA administrator rights, they were able to create a back door, stored all user passwords as they were entered at log in, and sent emails to the infrastructure team asking them to reset their passwords. A team member reset their password to the same password used for shell access into the server containing Apache's installs of Bugzilla, JIRA and Confluence. That team member had full sudo access to the system and therefore the hackers were able to use this account to compromise the server and gain access to Apache's main shell server, but were unable gain full access on that machine.
Six hours after the emails were sent, the infrastructure team noticed the attackers and shut down the Bugzilla, JIRA and Confluence servers. These services are now on a different machine with the Apache infrastructure team saying that they could no longer trust the operating system on the original machine.