The Mozilla Foundation has warned of a number of recently discovered vulnerabilities in its Bugzilla bug-tracking tool that could give attackers access to sensitive information about software projects.
One particularly serious flaw allows attackers to bypass email verification phase when creating new Bugzilla accounts, meaning they can create accounts with any email addresses they want.
That's bad enough, but Bugzilla can also be configured to automatically assign extra security privileges to accounts based on their email addresses. That means attackers can potentially use this flaw to gain access to information about critical, unpatched security bugs that would normally only be visible to insiders with high security clearance.
Check Point Software, which first spotted the bug, says this is the first such privilege-escalation flaw to be found in the Bugzilla code since 2002, and Mozilla has confirmed that the flaw exists in all versions of Bugzilla going back to version 2.23.3 from 2006.
Luckily, Check Point disclosed the bug to Mozilla on September 29 and the two have been working together to provide patches, which shipped on Monday.
"While the email-based group inclusion could have been used to get access to employee-private bugs, we have seen no evidence that it was used," Mozilla principal security and privacy engineer Sid Stamm told El Reg in an emailed statement. "There have been no reports from users that sensitive data has been compromised and our investigation turned up no evidence that the vulnerability had been exploited other than by the Check Point researchers."
What's more, Stamm said, while Mozilla has already patched its own public Bugzilla server at bugzilla.mozilla.org, that installation was never configured to allow email-based privilege escalation. Still, Mozilla's server is certainly not the only one out there.
"Popular open source projects managing their bugs using Bugzilla include Apache, Firefox, the Linux kernel, OpenSSH, Eclipse, KDE, and GNOME as well as, many Linux distributions," Check Point said in a statement.
In addition to the privilege-escalation flaw, Monday's batch of patches also resolve a few other bugs that could potentially leak data from Bugzilla servers, including cross-site scripting vulnerabilities, a bug that can allow certain flagged comments to be visible to users without the right security access, and a flaw that allows code injection into search result reports.
Patches and the latest stable release of the software can be downloaded from the Bugzilla project's website. ®