A zero-day in Bugzilla bug-tracking tool allows anyone to view detailed reports about unfixed vulnerabilities in a wide range of vulnerability repositories.

A new vulnerability in Bugzilla is scaring the security industry, it affects the Mozilla’s bug-tracking software, and could have a serious impact. The vulnerability in Bugzilla could be exploited by attackers to view detailed information regarding unfixed vulnerabilities in a wide range of applications.

Bugzilla announced that a fix for this severe weakness will be released as soon as possible, the experts believe that the organization will release it today.

The vulnerability databases are a mine of information for attackers that intend to exploit unfixed flaws in targeted applications, these information could be used by hackers for attacks or sold on the underground market to other threat actors.

The bug resides in Bugzilla account creation processes which allows attackers to create a Bugzilla account that bypasses validation and allows for privilege escalation. The attacker could exploit the flaw to create a new account, even with an administrator profile that belong to the targeted domain.

On the Bugzilla website are listed nearly 150 installations belonging to organization available on the Internet and much more private deployment. The list includes popular organizations like Apache, GNOME, Mozilla, Novell, Project, OpenOffice, Red Hat, Sandia National Laboratories, the Nessus Security Scanner, Wikimedia Foundation and Wireshark.

A researcher at Check Point Software Technologies,  Shahar Tal, reported the vulnerability to the Mozilla team explaining that he was able to register asadmin@mozilla.org to access report on private bugs managed by Mozilla.

“For example, we registered as admin@mozilla.org, and suddenly we could see every private bug under Firefox and everything else under Mozilla.” “We were able to inject an attacker-controlled string into any database field post-validation, including the ‘login_name’,” Tal said. “I don’t want to get into more details than that at this point in time.” He would not divulge details about the exploit.

Tal explained that the vulnerability was discovered during a vulnerability assessment and he anticipated that further disconcerting results will be revealed at the next Chaos Computer Club (CCC) in Hamburg.

“This vulnerability was discovered during an investigation we are currently running of some Perl issues,” he said. “We have some very interesting results coming up in that research (Bugzilla is a good sample, but not the last one), which we plan to present at the upcoming CCC in Hamburg later this year.”

Security expert Brian Krebs revealed that Sid Stamm, a security and privacy engineer with Mozilla has confirmed that the vulnerability affect Bugzilla application, Stamm said Mozilla is not aware of any breaches caused by the exploitation of to this flaw.