Oh whow.. now here’s a very nice report of a recent successful XSS-attack on apache.org. No don’t worry it isn’t a huge hole in the Apache webserver… just a very clever attack. Well.. they did obtain SVN credentials so maybe the attackers could have changed the sources and inject a backdoor…

The attackers were able to penetrate at system level due to usual end-user fuck-ups like using the same account & credentials on the web applications as well as shell access to production systems. One-time passwords did prevent the attackers to gain full access to the entire infrastructure. It’s a nice read.

This entry was posted on Wednesday, April 14th, 2010 at 13:46 and is filed under computer, security, software, web. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.