Mozilla Patches Bugzilla Vulnerability
Monday, September 21, 2015 @ 04:09 PM gHale
Mozilla patched what it is calling a critical vulnerability in its open source bug-tracking Bugzilla software.
Attackers could leverage the vulnerability to gain access to information about a project’s still unpatched flaws.
The attacker could gain permissions by tricking the system into believing he or she is part of a privileged domain, causing the system to grant domain-specific permissions.
“Login names (usually an email address) longer than 127 characters are silently truncated in MySQL which could cause the domain name of the email address to be corrupted,” Mozilla said in the security advisory published along the updates.
“An attacker could use this vulnerability to create an account with an email address different from the one originally requested. The login name could then be automatically added to groups based on the group’s regular expression setting,” the advisory said.
Netanel Rubin, a senior vulnerability researcher with PerimeterX, and his colleagues Byron Jones and Frédéric Buclin discovered the flaw September 7, and informed Mozilla.
The organization took three days to patch it, and included the fix in Bugzilla versions 5.0.1, 4.4.10 and 4.2.15 pushed out on September 10.
All previous versions of Bugzilla are vulnerable, so Bugzilla administrators should update their installation as soon as possible.
“If you are using email based permissions in your Bugzilla deployment and have not yet installed a patched version, take it down until patched,” Rubin said in a blog post. “Make sure to go over the logs and user-list to identify users that were created using this vulnerability. This vulnerability is extremely easy to exploit and the details have been known for more than a week, you have been or will be attacked.”
The discovery of the flaw came days after Mozilla said a hacker had managed to access their own Bugzilla, and had access to vulnerability information about their products for over a year.