RealTime IT News

Bugzilla Bug Squashed

A potentially-dangerous security bug has been detected in Bugzilla, a popular open-source bug-tracking software run by the Mozilla Foundation.

Researchers warned of the cross site scripting vulnerability within Bugzilla that lets a remote attacker create a malicious link containing script code which could be executed in the browser of a legitimate user, in the context of the Web site running Bugzilla.

Because Bugzilla does not properly sanitize any input submitted by users, malicious script could be embedded and may be exploited to steal cookie-based authentication credentials from legitimate users of the Web site running the vulnerable software.

The security issue, however, only affects users who have the 'quips' feature enabled and users are urged to edit the 'quips' file to remove any malicious content. Patches have been added to the latest iterations of Bugzilla, which is up to version 2.17.1.

Bugzilla, which started life as a bug-tracking system for AOL-owned Netscape Communications, has quickly developed into a favorite of the open-source crowd.

The Bugzilla project is in the midst of preparing for the launch of the version 2.17.3 (scheduled for early January) which is expected to include some "major new features" targeting the enterprise market.

According to the project's home page, the new features will appeal to the enterprise market rather than just small companies and Open Source groups. "It [the new version] also puts enterprise-level features into the hands of the small companies and Open Source groups...[It is] a 'coming of age'" for Bugzilla, and a really good demonstration of the power of Open Source," it boasted.