Ettercap Troubles on SourceForge


Recently, there have been reports in the news that an unauthorized third party viewed and modified ettercap forums database (hosted on our Project web service). Among other things, this exposed hashed values of ettercap forum user passwords. (In other words, if you have an ettercap account/password and you’re using the same password other places, such as your SourceForge account, it would be in your best interest to change them. And not do that anymore.)

Before I go on, I want to make it very clear that this had no effect on our downloads service, our hosted apps, SCMs, forums, etc.

So how did this happen?

Our Project web space is a shared environment. This is a known limitation, and we do advise our users to assume that files all uploaded to our servers may be viewed by other users. Unfortunately, when ettercap setup their phpBB instance, the database admin credentials were stored in an openly readable configuration file. We recommend that the admin user for databases only be used by a human user to manage the database. The application should only use either the read-only, or the read-write database user as appropriate for the application due to security risk.

But, we know the fact that the files in the project web system could potentially be readable by other users of the system is a significant limitation of the service, and that expecting every one of our users to maintain this level of security awareness is probably not feasable. So, we will be rolling out an update to the Project web service that addresses this issue, and removes read access to these files from other users.

Details of the new more secure project web system can be found here.

Comments are closed.