Netsparker and Apache.org - JIRA incident

Apparently by exploiting a Cross-site Scripting vulnerability some attackers gained access to users' passwords in Apache.org and JIRA (some passwords in JIRA were plain-text).

Today when I hear the news I decided to download the latest demo version of JIRA and give it a try with Netsparker. Not surprisingly Netsparker identified more than 10 XSS vulnerabilities in JIRA.

Obviously I don't know the details of the attack or if the attack was only based on one of these Cross-site Scripting vulnerabilities, but presumably this attack would have been prevented if either JIRA or Apache.org would have used Netsparker Professional or free version of Netsparker Community Edition.

I already dropped an email to Apache Security Team and offered them a free Netsparker Professional License.

Currently Netsparker is still scanning the test system, but already identified many XSS instances, Permanent XSS issues and many other minor issues.