Bugzilla Bug Allows Privilege Escalation

By

Bug-tracking tool lets the user set up an account without email verification.

Mozilla has announced vulnerabilities in the Bugzilla bug-tracking tool used by software developers around the world.  The bug lets the attacker bypass email verification when setting up a new account. Instead of sending the user login information by email, the user can log in directly.
This might not seem like a serious issue, but the real problem is that Bugzilla allows the admin to assign privileges based on email address. An attacker could simply use the email address of someone with a higher level of privilege and assume the higher privilege level. Circumventing email verification means the user never has to prove that the email address given when the account is created is correct.
Patches for fixing the bug are available now through the Bugzilla website.

10/14/2014

Related content

comments powered by Disqus