Updating software is important, but it’s the third-party add-ons that get servers pwned. No component — theme, plugin, or module — is too small.
Canonical, the commercial vendor behind Ubuntu Linux, has disclosed a security breach where an unknown adversary accessed the database powering the Ubuntu support forums and obtained usernames, passwords, and IP addresses of two million users. Canonical used vBulletin, a popular web forum software, and while it appears the core installation was regularly updated, some add-ons were not.
The attacker gained access via a SQL injection vulnerability in Forum Runner, a vBulletin add-on. The flaw had already been fixed in a newer version of Forum Runner, but the team had not updated the add-on at the time of the attack.
To read this article in full or to leave a comment, please click here