Bugzilla Bug Allows Privilege Escalation
Mozilla has announced vulnerabilities in the Bugzilla bug-tracking tool used by software developers around the world. The bug lets the attacker bypass email verification when setting up a new account. Instead of sending the user login information by email, the user can log in directly.
This might not seem like a serious issue, but the real problem is that Bugzilla allows the admin to assign privileges based on email address. An attacker could simply use the email address of someone with a higher level of privilege and assume the higher privilege level. Circumventing email verification means the user never has to prove that the email address given when the account is created is correct.
Patches for fixing the bug are available now through the Bugzilla website.
Related content
- Stack Overflow Compromised
-
Email sender verification with DMARC
DMARC retrofits email with sender verification and thus provides a useful tool for fighting spam. -
Understanding Privilege Escalation
This sample attack will show you some of the techniques intruders use to scale up their powers.
-
Shadow admin permissions and your AWS account
Malicious attackers are trying to conquer your AWS castle in the cloud. To mount a strong defense, you'll need a deeper understanding of privilege escalation and shadow admin permissions. - Hackers Threaten to Wipe More Than 300 Million Apple Devices Remotely
Subscribe to our ADMIN Newsletters
Subscribe to our Linux Newsletters
Find Linux and Open Source Jobs
Most Popular
Support Our Work
ADMIN content is made possible with support from readers like you. Please consider contributing when you've found an article to be beneficial.
