Bugzilla Bug Allows Privilege Escalation

By

Bug-tracking tool lets the user set up an account without email verification.

Mozilla has announced vulnerabilities in the Bugzilla bug-tracking tool used by software developers around the world.  The bug lets the attacker bypass email verification when setting up a new account. Instead of sending the user login information by email, the user can log in directly.
This might not seem like a serious issue, but the real problem is that Bugzilla allows the admin to assign privileges based on email address. An attacker could simply use the email address of someone with a higher level of privilege and assume the higher privilege level. Circumventing email verification means the user never has to prove that the email address given when the account is created is correct.
Patches for fixing the bug are available now through the Bugzilla website.

10/14/2014

Related content

comments powered by Disqus
Subscribe to our ADMIN Newsletters
Subscribe to our Linux Newsletters
Find Linux and Open Source Jobs



Support Our Work

ADMIN content is made possible with support from readers like you. Please consider contributing when you've found an article to be beneficial.

Learn More”>
	</a>

<hr>		    
			</div>
		    		</div>

		<div class=