The road to glory, from XSS to Root on apache.org

On the 9th of April 2010, Apache.org infrastructure suffered a direct and targeted attack on the server hosting the Apache issue-tracking software, Atlassian JIRA.  This is the second major compromise the Apache Software Foundation suffered in less than a year, when last August, the main Apache Foundation website was also hacked.
The attackers crafted an attack by exploiting a cross-site scripting vulnerability in JIRA software via a TinyURL redirect.  Thanks to this attack, the attackers managed to gain root access to brutus.apache.org, the server hosting Atlassian JIRA, Bugzilla and Confluence software.  By gaining root access to brutus.apache.org, the attackers managed to get a hashed copy of the user passwords of JIRA, Bugzilla and Confluence.
The attack
The attackers first submitted a new issue in JIRA (issue code INFRA-2591), which contained the following message;

“I’ve got this error while browsing some projects in jira http://tinyurl.com/ybnf8xt”
Upon receiving such message, a number of administrators from the infrastructure team clicked on the link.  By clicking on the link, their sessions were compromised; by exploiting a cross-site scripting vulnerability in Atlassian JIRA.  Meanwhile, the attackers also launched a brute force attack against JIRA login.jsp.
Thanks to the above attacks, the attackers managed to gain administrator privileges on JIRA, where the attackers immediately changed the path used to store uploaded attachments.  The path (continue reading...)