Serious Vulnerability in Bugzilla Allows Viewing Private Bug Details

Status
Not open for further replies.

Exterminator

Level 85
Thread author
Verified
Top Poster
Well-known
Oct 23, 2012
12,527
A zero-day security glitch in the Bugzilla bug-tracking platform used for managing vulnerabilities by prominent software organizations, both private and open-source, has been disclosed on Monday.

The flaw is quite serious, as it allows an individual to register an account with the service using an email of their choice, without requiring access to the actual inbox for validation purposes.
Attackers could modify vulnerability information
Such as security vulnerability in the platform means that an attacker could view all the bugs in software tracked through Bugzilla.

Check Point Software Technologies uncovered the flaw and reported it to the team leading the Bugzilla project, who recognized its severity; the CVE-2014-1572 identifier has been assigned to it.

According to Check Point’s Shahar Tal, the “bug enables unknown users to gain administrative privileges” and “by using these admin credentials, attackers can then view and edit private and undisclosed bug details.”

Another risk is that a malicious actor exploiting the flaw could intervene to destroy information in order to slow down the process of fixing vulnerabilities in a particular piece of software.
Patch is available, clients urged to apply it
Due to the critical nature of the glitch, the Mozilla Foundation rushed to release a patch and warned the prominent organizations about its availability.

As a result, new Bugzilla versions are offered for download: 4.0.15, 4.2.11, 4.4.6, and 4.5.6. The security advisory published with them says that the “realname” parameter in the “login_name” field is not filtered correctly when creating an account, which could lead to user data overwrite.

“The overridden login name could be automatically added to groups based on the group's regular expression setting,” the advisory says.
Hundreds of organizations use Bugzilla
Bugzilla is used for reporting and managing bugs, among others, in projects like Mozilla Firefox, Apache, OpenSSH, Eclipse, KDE, GNOME, Wikimedia Foundation, Wireshark, Novell, and different Linux distributions.

According to the installation list, there are 148 companies running public Bugzilla installations, but the number could be at least ten times higher since many of them are private, meaning that the log in page is not accessible over the Internet.

This particular vulnerability is credited to Netanel Rubin of Check Point, who discovered it on September 29 and reported it to the Bugzilla team the following day.

On September 30, developers at Bugzilla acknowledge the flaw and delivered conformation to the researcher, at the same time preparing an initial patch. On Monday, the final patch has been released and is recommended that all Bugzilla clients apply it.
 
  • Like
Reactions: Jack
Status
Not open for further replies.

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top