In the Bugzilla system leading software projects like Mozilla, Linux Kernel, Apache Project, Red Hat and Open Office for tracking bugs and vulnerabilities use has discovered a serious vulnerability patched. Using the vulnerability, an attacker could log on to the system and, for instance sensitive bugs and problems see that have not been patched.
It was recently announced it had received an attacker access to the Bugzilla system, Mozilla and so got hold of information on a Firefox vulnerability for which no security was available. This information, the attacker then used to Firefox users to attack. A common method within Bugzilla to provide user access is based on e-mail.
If a user has an email address of a particular organization has he will be considered as a trusted user. In the case of Mozilla involves users who for example an email address @ mozilla.com disposal. The now discovered vulnerability allows an attacker for any domain will create a Bugzilla account, even if they have no access to the e-mail account or domain.
The attacker can then use the created account to log in and depending on the rights given to users of a particular domain are set up access still can not fix bugs and other information. The vulnerability was reported on Monday, September 7th at Mozilla, which is responsible for the development of Bugzilla. On Thursday, September 10th, there appeared an update.
Take offline
Companies Bugzilla in combination with e-mail-based use rights and this update have not yet installed are advised to get the system right offline until the patch is deployed. Also, the logs and user-created lists should be reviewed to see if any users have been created via the vulnerability, so advises PerimeterX, the company that discovered the vulnerability.
No comments:
Post a Comment