14 DAY TRIAL // Savannah, the collaborative development platform maintained by the Free Software Foundation, was taken offline earlier this week after unknown attackers exploited an SQL injection vulnerability to compromise accounts.
Savannah is running on Savane2, an open source software forked from the original SourceForge code after the system changed its licensing and went proprietary.
The platform has grown to offer support for the CVS, Subversion, Git, Mercurial, GNU Arch and Bazaar revision control systems, a bug tracker and a mailing list.
An announcement posted Monday on the savannah.gnu.org website, informed users that the repository was compromised and progress was underway to restore it from an older backup.
Apparently the attackers used a method known as SQL injection, which exploits insufficient input validation weaknesses in order to make arbitrary queries in the underlying database.
In this case, it was used to extract password hashes corresponding to accounts on the system. It also seems that these hashes were not sufficiently strong, as the hackers managed to crack them via brute-force.
Savannah admins initially restored the system from a backup made on the 23th of November and re-enabled write access to the repositories so that project admins can recommit their changes.
However, the procedure was suspended yesterday after traces of the attack were also found for the 23th. The plan then switched to restoring everything from a backup made on the 22th.
Read-only SQL injection attacks dating back to January were also discovered, however they did not result in account compromises. “After fishing through logs, it appears that there was no other account cracking,” the team announced today.
Other actions taken so far as a result of this incident include resetting account passwords and fixing the SQL injection vulnerability. The code was also audited and no other similar flaws were found.
However, before the Web interface is brought back up, Savannah administrators plan to implement better hashing with crypt-md5 or crypt-sha2 and to enforce the use of stronger passwords.