Daily cyber threats and internet security news: network security, online safety and latest security alerts
December 1st, 2010

Savannah Free Software Collaborative Development Platform Hacked, Accounts Compromised Through SQL Injection

Savannah, the collaborative development platform maintained by the Free Software Foundation, was taken offline earlier this week after unknown attackers exploited an SQL injection vulnerability to compromise accounts.

Savannah is running on Savane2, an open source software forked from the original SourceForge code after the system changed its licensing and went proprietary. The platform has grown to offer support for the CVS, Subversion, Git, Mercurial, GNU arch and Bazaar revision control systems, a bug tracker and a mailing list.

An announcement posted Monday on the website, informed users that the repository was compromised and progress was underway to restore it from an older backup. Apparently the attackers used a method known as SQL injection, which exploits insufficient input validation weaknesses in order to make arbitrary queries in the underlying database.

In this case, it was used to extract password hashes corresponding to accounts on the system. It also seems that these hashes were not sufficiently strong, as the hackers managed to crack them via brute-force.

Savannah admins initially restored the system from a backup made on the 23th of November and re-enabled write access to the repositories so that project admins can recommit their changes.

However, the procedure was suspended yesterday after traces of the attack were also found for the 23th. The plan then switched to restoring everything from a backup made on the 22th.

Read-only SQL injection attacks dating back to January were also discovered, however they did not result in account compromises. “After fishing through logs, it appears that there was no other account cracking,” the team announced today.

Other actions taken so far as a result of this incident include resetting account passwords and fixing the SQL injection vulnerability. The code was also audited and no other similar flaws were found.

However, before the Web interface is brought back up, Savannah administrators plan to implement better hashing with crypt-md5 or crypt-sha2 and to enforce the use of stronger passwords.

Credit: News

Share this item with others:

More on CyberInsecure:
  • The Image Group Website Hacked Through SQL-Injection, Credit Cards Data Stolen
  • SQL Injection Flaw Exposes 32 Million Accounts Passwords
  • New Lateral SQL Injection Method To Hack Oracle Database
  • Malaysian Kaspersky Antivirus Website Has Been Hacked In An SQL Injection Attack
  • Database Compromised Through SQL Injection, Localized Website Versions Also Affected

  • If you found this information useful, consider linking to it from your own website.
    Just copy and paste the code below into your website (Ctrl+C to copy)
    It will look like this: Savannah Free Software Collaborative Development Platform Hacked, Accounts Compromised Through SQL Injection

    Leave a Reply

    Comments with unsolicited links to other resources will be marked as spam. DO NOT leave links in comments. Please leave your real email, it wont be published.

    To prove you’re a person (not a spam script), type the security word shown in the picture. Click on the picture to hear an audio file of the word.