We did a Bugzilla security release today, to fix some holes responsibly disclosed to us by Check Point Vulnerability Research, to whom we are very grateful. The most serious of them would allow someone to create and control an account for an arbitrary email address they don’t own. If your Bugzilla gives group permissions based on someone’s email domain, as some do, this could be a privilege escalation.
These bugs are actually quite interesting, because they seem to represent a new Perl-specific security problem.
more here............http://blog.gerv.net/2014/10/new-class-of-vulnerability-in-perl-web-applications/
These bugs are actually quite interesting, because they seem to represent a new Perl-specific security problem.
more here............http://blog.gerv.net/2014/10/new-class-of-vulnerability-in-perl-web-applications/