Recently, Apache was compromised by a XSS attack (apache.org incident report for 04/09/2010).

Someone posted an issue on their JIRA instance containing a shorted URL, which had an XSS attack that stole the user's session cookie. Some admin users subsequently clicked on the link and their session was stolen and the JIRA based admin was compromised. The hackers now had access to the JIRA instance admin, but from that point they gained root access to one machine and shell access to another.

From bad to worse

How did the hackers with administrator privileges in JIRA escalate to root access on one server and shell access on another? Via web based configuration. This allowed the attackers to change the upload root of files to an executable directory, from there they uploaded JSPs that gave them backdoor access to the file system. From there the hackers modified JIRA and started collecting entered passwords, and then sent reset password notifications to all users and then they farmed the new passwords! One of the collected passwords was the same as the user's shell account and from there they continued the attack.

Lessons learnt

Firstly, full credit to Apache for being open and honest about the attack, it really does help educate people on the seriousness of XSS attacks and how one seemingly innocent url lead to full control over a server. People should take note, XSS is not trivial and the attack on Apache certainly wasn't.

I have to admit web based configuration is infinitely preferable to me, over writing reams of XML configuration! However, it is vulnerable and accessible to attack! So lock it down and minimise risk. Don't make the administration urls accessible to the whole web! Make it accessible via a VPN only or limit it to certain IP's range and minimise the risk.