According first revelations the hacker despite has had full access to the database, he has promised not to disclose the database dump because the purpose of the hack is only to highlight the importance of security for so popular website.
The discovery was made by the team of security experts at The Hacker News that promptly alerted the openSUSE team.
Security experts noted that openSUSE was using a vulnerable version of the CMS vBulletin (ver 4.2.1), known to be affected by a serious flaw that allows an attacker to inject rogue administrator accounts. H4x0r HuSsY has exploited the same vulnerability to compromise the openSUSE forum, a couple of months ago the MacRumors forum was hacked with a similar technique.
The Pakistani Hacker confirmed to The Hacker News staff is that has uploaded a PHP shell on the forum server using his own Private vBulletin’s zero-day exploit, that allowed him to navigate the file system of the Forum server and write/overwrite any file without root privileges.
vBulletin is one of the most diffused CMS for easy management of the forums, this means that thousands of websites could be exposed to serious risk of hack until the flaw will be fixed. vBulletin security team must hurry up, the situation is critical.The openSUSE team has informed the users’ via tweets about the attack and its as decided to suspend its forum for the presence of the flaw in the CMS used.
“Warning: Our forums are down because they were defaced. We’re currently investigating what exactly has happened.”“As the exploit is in the forum software we use and there are no known fixes or workarounds we have decided to take the forums offline for now, until we have found a solution. Stay tuned for updates here, on twitter, facebook” or g+.” states the official security advisory.
“Rest assured, no user credentials have been leaked as we use a single sign on system for our services. Note that we use SSO so we don’t think we lost any account data.”
and while Pakistani hacker has shared a snapshot of stolen database, THN team has for obvious reasons obscured the passwords.
the team at openSuse has published the following statement on the official blog post
“Credentials for your openSUSE login are not saved in our application databases as we use a single-sign-on system (Access Manager from NetIQ) for all our services. This is a completely separate system and it has not been compromised by this crack. What the cracker reported as compromised passwords where indeed random, automatically set strings that are in no way connected to your real password.”
If you are an penSUSE user please change the password immediately.
(Security Affairs – zero-day vulnerability, openSuse)