Bugzilla website is no longer public

[pluby]

Last night, Ed and I found evidence of hacking in our Bugzilla website. The site was apparently hacked using a security hold in the phpBugTracker code that we use for that website.

Since all information in the Bugzilla website was already public and it has zero connections any of our other websites, we can conclude that the hacking was not about stealing data. Instead, the hackers were apparently trying to gain control over the website. Specifically, they used a SQL injection attack to overwrite password hash values. This, however, did not gain access as we use a custom password hashing algorithm in all of our websites so overwriting passwords set the password to an unknown password. In other words, updating the password hash values did not make it any easier to hack into anyone's account on that website.

While we would like to keep the Bugzilla website public, the fact is that the phpBugTracker code has many security holes so it would be very timeconsuming for Ed, Tim, and I to close all of the security holes. Given that and the fact that we now only use Bugzilla only for historical purposes, the least costly solution for these security holes was to make the Bugzilla website no longer public.

While this change is not ideal, it should ensure that we don't put our the historical data in Bugzilla at risk. Ed and I use that data for regression testing when we make changes to the NeoOffice code so taking the website offline in order to protect the data seems to be the prudent thing to do.

Edit by pluby: I forgot to mention that we keep copious backups of the databases for each of our websites and since Bugzilla has very few changes, it was very easy for us to drop the hacked database data and restore the data from an earlier, unhacked point in time.

Patrick