Welcome to NeoOffice developer notes and announcements
NeoOffice
Developer notes and announcements
 
 

This website is an archive and is no longer active
NeoOffice announcements have moved to the NeoOffice News website


Support
· Forums
· NeoOffice Support
· NeoWiki


Announcements
· Twitter @NeoOffice


Downloads
· Download NeoOffice


  
NeoOffice :: View topic - Bugzilla website is no longer public
Bugzilla website is no longer public
 
   NeoOffice Forum Index -> Server Outages
View previous topic :: View next topic  
Author Message
pluby
The Architect
The Architect


Joined: Jun 16, 2003
Posts: 11949
PostPosted: Thu May 03, 2012 1:11 pm    Post subject: Bugzilla website is no longer public
Last night, Ed and I found evidence of hacking in our Bugzilla website. The site was apparently hacked using a security hold in the phpBugTracker code that we use for that website.

Since all information in the Bugzilla website was already public and it has zero connections any of our other websites, we can conclude that the hacking was not about stealing data. Instead, the hackers were apparently trying to gain control over the website. Specifically, they used a SQL injection attack to overwrite password hash values. This, however, did not gain access as we use a custom password hashing algorithm in all of our websites so overwriting passwords set the password to an unknown password. In other words, updating the password hash values did not make it any easier to hack into anyone's account on that website.

While we would like to keep the Bugzilla website public, the fact is that the phpBugTracker code has many security holes so it would be very timeconsuming for Ed, Tim, and I to close all of the security holes. Given that and the fact that we now only use Bugzilla only for historical purposes, the least costly solution for these security holes was to make the Bugzilla website no longer public.

While this change is not ideal, it should ensure that we don't put our the historical data in Bugzilla at risk. Ed and I use that data for regression testing when we make changes to the NeoOffice code so taking the website offline in order to protect the data seems to be the prudent thing to do.

Edit by pluby: I forgot to mention that we keep copious backups of the databases for each of our websites and since Bugzilla has very few changes, it was very easy for us to drop the hacked database data and restore the data from an earlier, unhacked point in time.

Patrick
Back to top
Display posts from previous:   
   NeoOffice Forum Index -> Server Outages All times are GMT - 7 Hours
Page 1 of 1

 
 You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You cannot download files in this forum

Powered by phpBB © 2001, 2005 phpBB Group

All logos and trademarks in this site are property of their respective owner. The comments are property of their posters, all the rest © Planamesa Inc.
NeoOffice is a registered trademark of Planamesa Inc. and may not be used without permission.
PHP-Nuke Copyright © 2005 by Francisco Burzi. This is free software, and you may redistribute it under the GPL. PHP-Nuke comes with absolutely no warranty, for details, see the license.