Previously undiscovered Bugzilla exploit patched

Bugzilla, the open source bug reporting and tracking tool used by Mozilla and many popular Linux distributions, has had a potentially damaging security flaw patched, reports Brian Krebs on his Krebs on Security website.

Krebs described the exploit as a “very serious weakness, which potentially exposes a veritable gold mine of vulnerabilities that would be highly prized by cybercriminals.”  Fortunately, the bug was quickly closed after being discovered on September 29, and patches were made available on Monday, The Register reports, adding that “Mozilla has confirmed that the flaw exists in all versions of Bugzilla going back to version 2.23.3 from 2006.”

The exploit would have allowed attackers to “subvert the developer registration process in order to gain privileged access to information on zero days submitted to the site”, according to CSO.

In other words, the exploit could have allowed hackers insider information on security vulnerabilities before they were fixed. The bug worked by allowing users to bypass the email validation process, thus potentially allowing cybercriminals access to vulnerability information by faking an address on the Bugzilla installation domain.

In a response to Krebs’ original story, Mozilla denied that any vulnerabilities recorded on the official bugzilla.mozilla.org server were exposed as their installation does not send bug reports to all domain addresses, but conceded that it’s “theoretically possible that other Bugzilla installations expose security bugs to ‘all employees'”.

The Register reports that the registration bug was not the only vulnerability to be patched in Monday’s update, which “also resolve a few other bugs that could potentially leak data from Bugzilla servers, including cross-site scripting vulnerabilities, a bug that can allow certain flagged comments to be visible to users without the right security access, and a flaw that allows code injection into search result reports.”

Gil C / Shutterstock.com

Author , ESET

Follow us

Copyright © 2016 ESET, All Rights Reserved.