A potentially-dangerous security bug has been detected in Bugzilla, a popular open-source
bug-tracking software run by the Mozilla Foundation.
Researchers warned of the cross site scripting vulnerability within
Bugzilla that lets a remote attacker create a malicious link containing
script code which could be executed in the browser of a legitimate user, in
the context of the Web site running Bugzilla.
Because Bugzilla does not properly sanitize any input submitted
by users, malicious script could be embedded and may be exploited to steal
cookie-based authentication credentials from legitimate users of the Web site
running the vulnerable software.
The security issue, however, only affects users who have the ‘quips’
feature enabled and users are urged to edit the ‘quips’ file to remove any
malicious content. Patches have been added to the latest iterations of
Bugzilla, which is up to version 2.17.1.
Bugzilla, which started life as a bug-tracking system for AOL-owned
Netscape Communications, has quickly developed into a favorite of the
open-source crowd.
The Bugzilla project is in the midst of preparing for the launch of the
version 2.17.3 (scheduled for early January) which is expected to include
some “major new features” targeting the enterprise market.
According to the project’s home page, the new features will appeal to the
enterprise market rather than just small companies and Open Source groups.
“It [the new version] also puts enterprise-level features into the hands of
the small companies and Open Source groups…[It is] a ‘coming of age'” for
Bugzilla, and a really good demonstration of the power of Open Source,” it
boasted.