2014 is the year opensource code fell from the highground, now Bugzilla buggy

this was an opensource Tools for the managment of bugs and problems used all over the world for the last 10 years

nobody of those thousands of developers, securitypeople and opensource freaks ever audited the code (or the thought process with which it was built and how to bypass that)

the sole fact that thousands of people were using it and that some were giving code or mentioning some bugs or problems was sufficient to call it secure

well, in the IT world everything is possible that is not possible in any other industry

but code is code whatever the copyright and whatever the number of people using it or developing code for it

it is only secure if it has been audited, hacked, tested and if there is a securityteam doing only that during the whole process

look at this 11 year old mistake

"“An independent researcher has reported a vulnerability in Bugzilla which allows the manipulation of some database fields at the user creation procedure on Bugzilla, including the ‘login_name’ field,” said Sid Stamm, principal security and privacy engineer at Mozilla, which developed the tool and has licensed it for use under the Mozilla public license. “This flaw allows an attacker to bypass email verification when they create an account, which may allow that account holder to assume some privileges, depending on how a particular Bugzilla instance is managed,”

the possibility to play with the fields in the database for authentification is one of the first things you will look at during a security inspection of code or a process because if that ain't robust than your whole authentification process is broken

get the update here http://www.bugzilla.org/security/4.0.14/

so after openssl, shellshock and now this, isn't it time the opensource community starts thinking about some real security auditing of their code

or do they think that it will fix itself  ?

The comments are closed.