A critical zero-day vulnerability discovered in Mozilla’s popular Bugzilla bug-tracking software used by hundreds of prominent software organizations, both private and open-source, could expose sensitive information and vulnerabilities of the software projects to the hackers...
The critical flaw allows an attacker to bypass email verification part when registering a new Bugzilla account, which clearly means that an attacker can register accounts using any email addresses of their choice without the need to access the actual inbox for validation purposes.
VALIDATION BYPASS AND PRIVILEGE ESCALATION BUG
Security firm Check Point Software Technologies disclosed the flaw (CVE-2014-1572) on Monday and said that it’s the first time when a privilege-escalation vulnerability has been found in the Bugzilla project since 2002. The Mozilla foundation has also confirmed that this particular bug exists in all versions of Bugzilla going back to version 2.23.3 from 2006.
An analysis carried out by the researchers at Check Point revealed that the critical "bug enables unknown users to gain administrative privileges" as well as "by using these admin credentials, attackers can then view and edit private and undisclosed bug details."
Furthermore, a hacker exploiting the flaw could intervene to destroy bug information in an effort to slow down the process of fixing vulnerabilities in a particular piece of software.
"The successful exploitation of the vulnerability allows the manipulation of any (database) field at the user creation procedure, including the 'login_name' field," Netanel Rubin, a researcher with Check Point, wrote in the initial report to Bugzilla. "This breaks the e-mail validation process and allows an attacker to create accounts which match the group's regex policies, effectively becoming a privileged user."
BUGZILLA AND ITS REACH
Bugzilla is a Web-based general-purpose bugtracker and testing tool originally developed by the Mozilla Foundation, and has been used by a variety of organizations as a bug tracking system for free and open source software projects.
Among others, the software is used by the Mozilla Foundation, Apache, the Linux kernel, OpenSSH, Eclipse, KDE, Wikimedia Foundation, Wireshark, Novell, and GNOME as well as, many Linux distributions.
Nearly 150 large software developers and open-source projects use Mozilla’s Bugzilla software to track the vulnerabilities in their products. The actual figure could be even higher since many of the organisations are private.
PATCH AVAILABLE
Check Point reported the vulnerability to the Mozilla Foundation on September 29 and on Monday, Bugzilla rushed to release a patch for the issue to the public and warned the prominent organizations about its availability.
New Bugzilla versions are offered for download: 4.0.15, 4.2.11, 4.4.6, and 4.5.6. “The overridden login name could be automatically added to groups based on the group's regular expression setting,” the advisory says.
While Mozilla has already patched its own public Bugzilla server at bugzilla.mozilla.org, that installation was never configured to allow email-based privilege escalation.
certainly like your website but you have to check the spelling on quite a few of your posts.
ReplyDeleteA number of them are rife with spelling problems and I in finding it very troublesome to
tell the truth nevertheless I will definitely come
back again.
Feel free to surf to my webpage :: tre khoe dep
Good site yoou haѵe here.. It's difficult tο find hіgh-quality
ReplyDeletewriting lіke yօurs tɦese days. Ӏ honestly ɑppreciate individuals lіke you!
Tɑke care!!
Мy web site; Buy Instagram Followers (Www.Storyguide.Net)
ңey very nkce blog!
ReplyDeletemy blog - jonesco- home builders
GHG automatic curlers
ReplyDeleteHey! Someone in my Facebook group shared this
site with us so I came to check it out. I'm definitely enjoying the information. I'm bookmarking and will be tweeting this to my followers!
Exceptional blog and superb design and style.
I love looking through a post that can make people think.
ReplyDeleteAlso, many thanks for allowing me to comment!
Have a look at my webpage: free clash of clans gems (http://www.hacklot.com)
Nicе answers in return of thіs matter witҺ real arguments and explaining everything on the topic of that.
ReplyDeleteAlso visit my wеb page - right home builder