This site uses cookies. By continuing to browse this site you are agreeing to our use of cookies. Find out more.X

Ubuntu forums back online after attack analysis reveals XSS tactic

Share this article:

The compromise of an individual account and configuration settings led to the recent issue with the Ubuntu forums.

According to a blog post, the Linux user forum is back up and running after an attacker accessed a moderator account and post announcements and private messages to three forum administrators.

The attacker claimed that there was a server error on the announcement page, asked the other administrator to look and was subsequently compromised also.

It said: “We believe the attacker added an cross-site scripting attack in the announcement they posted which sent the cookies of any visitor to the page to the attacker. Once the attacker gained administrator access in the forums, they were able to add a hook through the administrator control panel.

“Hooks in vBulletin are arbitrary PHP code which can be made to run on every page load. The attacker installed a hook allowing them to execute arbitrary PHP passed in a query string argument. They used this mechanism to explore the environment and also to upload and install two widely available PHP shell kits. The attacker used these shell kits to upload and run some custom PHP code to dump the ‘user' table to a file on disk which they then downloaded.”

Ubuntu determined that the attacker had full access to the vBulletin environment as an administrator and shell access as the ‘www-data' user on the Forums app servers. This access was used to download the ‘user' table which contained usernames, email addresses and salted and hashed (using md5) passwords for 1.82 million users.

However it does not know how the attacker gained access to the moderator account used to start the attack, or what cross-site scripting attack was used as the announcement the attacker posted was deleted by one of the Forum administrators.

In response, it has contacted users to change passwords, wiped and rebuilt servers and manually imported data into a fresh database after sanity checking each table.

It has also switched the forums to use Ubuntu single sign-on for user authentication, implemented automated expiry of inactive moderator and administrator accounts, reviewed and further hardened the firewalling around the Forums servers and switched to forcing HTTPS for the administrator and moderator control panels and made it optionally available everywhere else.

“There was no compromise of Ubuntu itself, or any other Canonical or Ubuntu services. We have repaired and hardened the Ubuntu Forums, and as the problematic settings are the default behaviour in vBulletin, we are working with vBulletin staff to change and/or better document these settings,” it said.


“We will continue to work with vBulletin staff to discuss changes to the default settings which could help others avoid similar scenarios as this. Finally, we'd like once again to apologize for the security breach, the data leak and downtime.”


At the time of reporting the attack, Ubuntu said that the forums had been down due to maintenance and confirmed that attackers had gained every user's local username, password and email address from the Ubuntu Forums database.

Share this article:

SC webcasts on demand

This is how to secure data in the cloud

Exclusive video webcast & Q&A sponsored by Vormetric

As enterprises look to take advantage of the cloud, they need to understand the importance of safeguarding their confidential and sensitive data in cloud environments. With the appropriate security safeguards, such as fine-grained access policies, a move to the cloud is as, or more, secure than an on-premise data storage.

View the webcast here to find out more

More in News

State-sponsored attacks expected to get worse

State-sponsored attacks expected to get worse

A loss of confidence in perimeter defence has led many infosec professionals to question the ability of their organisation to withstand Advanced Persistent Threats (APTs).

Xen hypervisor found wanting on security

Xen hypervisor found wanting on security

The Xen hypervisor - an open source project that forms the basis of a wide range of virtualised servers - has been found to be vulnerable to a new attack ...

Shellshock vulnerabilities exploited in the wild

Shellshock vulnerabilities exploited in the wild

Linux: open source software is highly pervasive making the Shellshock vulnerability potentially more serious than Heartbleed.