Hi,

I am sad to say that there was a compromise of the WineHQ database system.

What we know at this point that someone was able to obtain unauthorized
access to the phpmyadmin utility. We do not exactly how they obtained
access; it was either by compromising an admins credentials, or by
exploiting an unpatched vulnerability in phpmyadmin.

We had reluctantly provided access to phpmyadmin to the appdb developers
(it is a very handy tool, and something they very much wanted). But it
is a prime target for hackers, and apparently our best efforts at
obscuring it and patching it were not sufficient.

So we have removed all access to phpmyadmin from the outside world.

We do not believe the attackers obtained any other form of access to the
system.

On the one hand, we saw no evidence of harm to any database. We saw no
evidence of any attempt to change the database (and candidly, using the
real appdb or bugzilla is the easy way to change the database).

Unfortunately, the attackers were able to download the full login
database for both the appdb and bugzilla. This means that they have all
of those emails, as well as the passwords. The passwords are stored
encrypted, but with enough effort and depending on the quality of the
password, they can be cracked.

This, I'm afraid, is a serious threat; it means that anyone who uses the
same email / password on other systems is now vulnerable to a malicious
attacker using that information to access their account.

We are going to be resetting every password and sending a private email
to every affected user.

This is again another reminder to never use a common username / password
pair. This web site provides further advice as well:
http://asiknews.wordpress.com/2011/03/0 ... web-sites/

I am very sad to have to report this. We have so many challenges in our
world today that this is a particularly painful form of salt for our wounds.

However, I think it is urgent for everyone to know what happened.

Cheers,

Jeremy

On Oct 11, 2011, at 12:13 PM, Jeremy White wrote:


Insecure HTTP access?


Since bugzilla passwords were sent in cleartext anyway, I sincerely hope none of them were otherwise valuable. (Remember FireSheep?)


You might also consider expiring old login cookies.


Josh

OK, it's good that you inform us. However, I have a few passwords that I cycle and I don't remember which one I was using here. Is there any way of viewing the old password?

No, the passwords were encrypted. Best I could do would be to give you the hash of your old password.

I think a hashed password is better than nothing. Who can we contact to get that information?

I changed my password by pressing Forgot Password, so long as you have access to your eMail you signed up with you can use that to reset the password without knowing your old one. I had quite a few sites I had to change my password for, hate it when hackers do this stuff, it really isn't very polite.

That's the problem. I don't know what my old password was, so I don't know what other sites, if any, I've used it for.

Yeah, well in that case you'll have to change passwords on all your important sites where you have power/admin/mod abilities or you may just find that one of them will be taken over and cause damage/data loss.

I've just gone and changed 8 sites, I hope I remember them all now, thank god for cookies and online sync.

jnewman: Can you please send me my old password hash via email? The account email is the same as this forum account.

On Oct 11, 2011, at 3:37 PM, Conan Kudo (ニール・ゴンパ) wrote:


To clarify, your browser sends your password to bugzilla in cleartext, since HTTPS isn't an option.

Firesheep was a lesson that even once passwords are secure, session credentials are still vulnerable to sniffing. Some sites went to HTTPS-only sessions after that.

Josh

2011/10/11 Josh Juran <josh@iswifter.net>:

http://bugs.winehq.org/show_bug.cgi?id=23791

--
-Austin

Thank you so much for letting the users know so early on.

Bugzilla/forum passwords should probably be reset as well for appdb
users, there's no doubt most people share passwords with the appdb.

On Tue, Oct 11, 2011 at 8:13 PM, Jeremy White <jwhite@codeweavers.com> wrote:

Hey everyone,

On 10/11/2011 09:13 PM, Jeremy White wrote:
You may also want to change your testbot password if you re-used your password..
https://testbot.winehq.org/ForgotPassword.pl

Cheers,
Maarten

2011/10/11 Jerome Leclanche <adys.wh@gmail.com>:
Thanks for the early notice !

Testbot passwords should also be reset as it seems it doesn't allow
password reset / change ATM. (At least I wasn't able to find that
possibility)

--
Nicolas Le Cam

On Tue, Oct 11, 2011 at 8:46 PM, Jerome Leclanche <adys.wh@gmail.com> wrote:

Nevermind... had not received the other emails yet.

Best of luck sorting it all out.


JL

On Tue, Oct 11, 2011 at 9:13 PM, Jeremy White <jwhite@codeweavers.com>wrote:

<snip>

Hi,

one question. I'm not worried about my current account, but I had an old
email with an old password recorded in my keychain store. I tried that email
at appdb.winehq.org but it said "user does not exist". Can I assume it was
completely deleted?

Regards,
--
Per Johansson
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.winehq.org/pipermail/wine-users/attachments/20111011/2944ea43/attachment.html>

Hi Jeremy,

Could you please reveal details on how the passwords were "encrypted"?
Which hash function, were they salted, was the salt compromised.

This would help the users evaluate just how much is "enough effort"
to crack the passwords.

Thank you.

--
Vasiliy Faronov

Could you please explain in detail how these passwords were "encrypted"?
Were they hashed? Using which hash function? Did you use a SALT?

I have a simple password that I use for sites like these, which means
that the hackers now have access to other forums and bug trackers I am
registered in. It's not a problem for me.

On Tue, Oct 11, 2011 at 9:13 PM, Jeremy White <jwhite@codeweavers.com> wrote:

Jeremy,

Almost 2 years ago I have sent you an email privately about a security
hole with the database. To be exactly, the date of the email is Wed,
Jul 29, 2009, 12:00 AM (GMT +02:00). I guess that's probably the same
trick the bad guys have used...

Kind regards,

Matijn Woudt

On Tue, Oct 11, 2011 at 3:39 PM, Josh Juran <josh@iswifter.net> wrote:

Wait, what? Bugzilla sends passwords in cleartext? That isn't very smart...
Is there no way to replace this with some sort of client based hashing or
something?
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.winehq.org/pipermail/wine-users/attachments/20111011/a513680e/attachment.html>

2011/10/11 Josh Juran <josh@iswifter.net>

Shouldn't it be possible to modify the login environment so that a salted
hash of the password is produced before sending it to the server, to
strengthen the security a little bit?
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.winehq.org/pipermail/wine-users/attachments/20111011/65a1b084/attachment.html>

On Oct 11, 2011, at 3:54 PM, Conan Kudo ($B%K!<%k!&%4%s%Q(B) wrote:


That protects the password itself, but not the privilege it guards.

It also essentially makes Javascript a requirement, which currently it isn't.

Josh

Hindsight, this would have been worth re-mentioning (at least once every few months), or IT WAS YOU , you knew a way to access the data and decided that if they weren't gonna patch the hole that you could grab the data and show them how wrong it was to ignore you (Joking... or am I).

Seriously, security is mostly a joke, if someone wants to get access they can/will, but that is not to say you make it easier for them by leaving holes in your security. I hope in the future reports are treated very serious. PHP is one of the most hackable web services, I am surprised WineHQ has been left alone this long, all my forums have been targeted at one stage of their life cycle. But I now know a way around the security issues (no I wont share or it'll be targeted too).

Hello Jwhite,

Could you share the encryption procedure your system was using to store the hashes in the database? Was it using the secret word
which all so became a public domain? Was it a default Bugzilla authorization method? How much time it would require to brute force the passwords?

In the future try to avoid using "out of the box" encryption which allows passwords to be brute forced. If an attacker wouldn't know
the algorithm the hash was generated with it would be nearly impossible to brute force the hashes.

I recommend to move the authorization mechanics out of the host directories in a way which would prevent an attacker
who gained control over the virtual host files to read authorization algorithms.

How is it possible that you don't know how the passwords were stolen but you know that they were stolen? Aren't there HTTP secure log archive?
Check out host secure log. It's important to understand how the info leaked to close the leak. May be an attacker gained
access to another virtual host and through that access downloaded the database. In this case you may loose information again.

The key to the answer HOW is apache & mysql logs, scrutinize them and you'll understand what happened. If there is an unknown bug in mysqladmin you
will immediately catch it. At least you will know if an attacker got DB access through your host.


Many people around here might be interested if it's really worth changing passwords which are at least 6 letters in length.


You told us that phpmyadmin was obfuscated, it excludes a scanner getting access over the database.
Hacking WINE bugzilla is a foul job and only a teenager kid (or an man which is still young in his soul) would ever do that.
Kids are usually gaining access to the filesystem first. Check out if there is a change in templates... which leaked
the cookies or passwords in files which could be read.

The worst thing that could happen is that the passwords would be decrypted and added to the automatic scanners which probe
the online services but I doubt that kind of intelligence from a person hacking bugzillas.


Thanks for letting us know most of the services prefer to keep silence over these problems.

--
Best regards,
Igor mailto:sprog@online.ru
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.winehq.org/pipermail/wine-users/attachments/20111012/1a7d8050/attachment.html>

Could I get my old password hash as well? My Bugzilla account was registered with a different email address, send me a message to this one and I'll respond from the correct one. Seems to me that a savvy hacker might note a request in the open here as a good account to start attacking first.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.winehq.org/pipermail/wine-users/attachments/20111011/72a8764d/attachment.html>