Jump to content

Invite Scene - #1 to Buy, Sell, Trade or Find Free Torrent Invites

#1 TorrentInvites Community. Buy, Sell, Trade or Find Free Torrent Invites for Every Private Torrent Trackers. HDB, BTN, AOM, DB9, PTP, RED, MTV, EXIGO, FL, IPT, TVBZ, AB, BIB, TIK, EMP, FSC, GGN, KG, MTTP, TL, TTG, 32P, AHD, CHD, CG, OPS, TT, WIHD, BHD, U2 etc.

LOOKING FOR HIGH QUALITY SEEDBOX? EVOSEEDBOX.COM PROVIDES YOU BLAZING FAST & HIGH END SEEDBOXES | STARTING AT $5.00/MONTH!

Zero-Day in Bugzilla Exposes Zero-Day Vulnerabilities to Hackers


Crypto

Recommended Posts

 
bugzilla-vulnerabilities.jpg
A critical zero-day vulnerability discovered in Mozilla’s popular Bugzilla bug-tracking software used by hundreds of prominent software organizations, both private and open-source, could expose sensitive information and vulnerabilities of the software projects to the hackers.
 
The critical flaw allows an attacker to bypass email verification part when registering a new Bugzilla account, which clearly means that an attacker can register accounts using any email addresses of their choice without the need to access the actual inbox for validation purposes.
 
VALIDATION BYPASS AND PRIVILEGE ESCALATION BUG
Security firm Check Point Software Technologies disclosed the flaw (CVE-2014-1572) on Monday and said that it’s the first time when a privilege-escalation vulnerability has been found in the Bugzilla project since 2002. The Mozilla foundation has also confirmed that this particular bug exists in all versions of Bugzilla going back to version 2.23.3 from 2006.
 
 

An analysis carried out by the researchers at Check Point revealed that the critical "bug enables unknown users to gain administrative privileges" as well as "by using these admin credentials, attackers can then view and edit private and undisclosed bug details."
 
Furthermore, a hacker exploiting the flaw could intervene to destroy bug information in an effort to slow down the process of fixing vulnerabilities in a particular piece of software.

"

The successful exploitation of the vulnerability allows the manipulation of any (database) field at the user creation procedure, including the 'login_name' field,

" Netanel Rubin, a researcher with Check Point, 

wrote

 in the initial report to Bugzilla. "

This breaks the e-mail validation process and allows an attacker to create accounts which match the group's regex policies, effectively becoming a privileged user.

"

BUGZILLA AND ITS REACH
Bugzilla is a Web-based general-purpose bugtracker and testing tool originally developed by the Mozilla Foundation, and has been used by a variety of organizations as a bug tracking system for free and open source software projects.
 
Among others, the software is used by the Mozilla Foundation, Apache, the Linux kernel, OpenSSH, Eclipse, KDE, Wikimedia Foundation, Wireshark, Novell, and GNOME as well as, many Linux distributions.
 
Nearly 150 large software developers and open-source projects use Mozilla’s Bugzilla software to track the vulnerabilities in their products. The actual figure could be even higher since many of the organisations are private.
 
PATCH AVAILABLE
Check Point reported the vulnerability to the Mozilla Foundation on September 29 and on Monday, Bugzilla rushed to release a patch for the issue to the public and warned the prominent organizations about its availability.
 
New Bugzilla versions are offered for download: 4.0.15, 4.2.11, 4.4.6, and 4.5.6. “The overridden login name could be automatically added to groups based on the group's regular expression setting,†the advisory says.
 
While Mozilla has already patched its own public Bugzilla server at bugzilla.mozilla.org, that installation was never configured to allow email-based privilege escalation.
 
                    Add Rep and Leave a feedback
              Reputation is the green button in the down right corner on my post 

 

do you understand            if you having fun?                  it's a rising sun                           it's a man killing                              what's that feelin'

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

  • Check out what our members are saying

  • Our picks

×
×
  • Create New...