Unauthorized access to Bugzilla
The developers of the open-source bug-tracking tool Bugzilla have released updated versions of the software and patches for older versions in order to close a security hole. Attackers were able to exploit the hole to create new accounts even if the the account creation function was disabled. The developers say the vulnerability is critical in environments that require users to register.
The flaw can be exploited when Bugzilla's Web service is active. The function Bugzilla::WebService::User::offer_account_by_email does not properly check the parameter createemailregexp when it is transferred. According to the security advisory, attackers can then create new accounts via the web service.
But if the SOAP::Lite Perl module is not installed on the server, Bugzilla is not vulnerable to the flaw as the installation does not enable the web service. Bugzilla versions 2.2.3.x, 3.0.x, and 3.1.x are affected. The developers have provided patches for these versions, and administrators are advised to install them as soon as possible. Furthermore, the developers have released new versions 3.0.2 and 3.1.2, which do not contain the flaw. The developers recommend that users of previous versions upgrade to the new versions.
- Security Advisory for Bugzilla 3.0.1 and 3.1.1 published by the developers
- Patch for Bugzilla versions 2.23.x and 3.0.x
- Patch for Bugzilla version 3.1.x
- Download the current versions of Bugzilla