For the second time in two months, a major open source project has been breached. This time the victim is the WineHQ project, which manages Wine, an open source technology that lets users install and run Windows applications on Linux, Mac, Solaris and other operating systems.
WineHQ earlier this week disclosed that someone had managed to break into one of its database systems and gain access to an open source PHP tool that allows remote management of databases.
In a note announcing the flaw, Wine developer Jeremy White said it's unclear how the intruder was able to gain unauthorised access to the PHP utility. "It was either by compromising an admins credentials, or by exploiting an unpatched vulnerability in phpmyadmin," White wrote.
White is also the founder and CEO of Codeweavers, a company that sponsors the Wine project.
WineHQ had "reluctantly" decided to allow application developers to remotely access the PHP utility because it is "a very handy tool, and something they very much wanted," he said. "But it is a prime target for hackers, and apparently our best efforts at obscuring it and patching it were not sufficient."
According to White, there appears to be no immediate evidence of harm to any databases though it would have been relatively easy for malicious hackers to cause damage.
However, the attackers managed to harvest all the login information of users of the Wine Application Database (AppDB) and Bugzilla, the WineHQ bug tracking system, White added. "This means that they have all of [the email addresses], as well as the passwords," of AppDB and Bugzilla users, he said.
"The passwords are stored encrypted, but with enough effort and depending on the quality of the password, they can be cracked," White said. "This, I'm afraid, is a serious threat; it means that anyone who uses the same email/password on other systems is now vulnerable to a malicious attacker using that information to access their account."
WineHQ is resetting the passwords of all affected users, he added.
WineHQ is the second open source project to be breached in the past two months.
In August, hackers broke into Kernel.org, the home of the Linux project and gained administrative access to several servers within the kernel.org infrastructure. That breach led to a subsequent breach that resulted in several websites, including Linux.com and LinuxFoundation.org, being pulled offline in September.
WineHQ is hosted on SourceForge, an open source software development site that hosts more than 260,000 open source projects. SourceForge was itself hacked in January in an attack that some believe might have been intended to corrupt projects hosted on the site.
It wasn't immediately clear if this week's WineHQ breach was related in any way to the attack on SourceForge. White did not immediately respond to a request for comment.