Ubuntu forum breach traced to neglected plugin

Ubuntu forum breach traced to neglected plugin

Updating software is important, but it’s the third-party add-ons that get servers pwned. No component — theme, plugin, or module — is too small.

Canonical, the commercial vendor behind Ubuntu Linux, has disclosed a security breach where an unknown adversary accessed the database powering the Ubuntu support forums and obtained usernames, passwords, and IP addresses of two million users. Canonical used vBulletin, a popular web forum software, and while it appears the core installation was regularly updated, some add-ons were not.

The attacker gained access via a SQL injection vulnerability in Forum Runner, a vBulletin add-on. The flaw had already been fixed in a newer version of Forum Runner, but the team had not updated the add-on at the time of the attack.

To read this article in full or to leave a comment, please click here

Source: Security


Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.