Bugzilla attack on bugzilla.mozdev.org
A couple of hours ago bugzilla mails started to pour in from bugzilla.mozdev.org. They all contained the same comment and the same action.
firstname.lastname@example.org changed status on all open bugs into Resolved Fixed. All bugs were submitted with the following comment:
these bugs are not from me they where on there when i bought the computer.
This is one of the first larger bugzilla attacks I've seen. I'm not sure what can be done to prevent this. Anyone can sign up for a bugzilla account and anyone can change all aspects of bugs. This is the beauty of bugzilla but also it's Achilles heel.
Why not to use different permission levels then?
Say, ordinary accounts can only create, add comments, and reopen bugs.
Or am I missing something?
Ouch. What's the recovery contingency plan?Comment by Robin at January 25, 2005 12:39 PM | Permalink
I've seen two Bugzilla vandalism links. One says it was mozdev, this one says mozilla? Were both hit or did somebody miscommunicate?Comment by Brant Gurganus at January 25, 2005 12:55 PM | Permalink
Why did I get probed on five different ports when I submitted?Comment by Brant Gurganus at January 25, 2005 12:58 PM | Permalink
I think you can do no better than built in some spam heuristics for the comments and automatically warn the bugzilla maintainer with a possibility to undo all actions of the possible spammer.
It is however a lame and extremly useless attack which I think is unlikely to happen often.Comment by Bram at January 25, 2005 01:04 PM | Permalink
It's fixed now! All changes made by email@example.com have be removedComment by Henrik Gemal at January 25, 2005 01:18 PM | Permalink
I don't get it; the Mozilla official Bugzilla system doesn't allow new signups to change status of any bugs. I can still add a comment to a ton of entries and spam people, but I can't change the database there - should the Mozdev one be setup in a similar way?Comment by Luke Reeves at January 25, 2005 03:13 PM | Permalink
"Anyone can sign up for a bugzilla account and anyone can change all aspects of bugs."
It depends how you configure your Bugzilla. The default, and bugzilla.mozilla.org are both not set up this way. In order to do anything more than add comments and file bugs, you need editbugs or canconfirm.
GervComment by Gerv at January 25, 2005 03:56 PM | Permalink
TrackBack from Bugzilla Site Vandalized at January 27, 2005 04:36 PM | Permalink
The bugzilla bug reporting and tracking system on the Mozilla development site mozdev.org was vandalized yesterday. Mozdev is a community site for Mozilla
I would like to know if we can archive the bugs in bugzilla.
Example for a situation:
we have been using bugzilla since more then a year, i am thinking to archive all the bugs of around 6 months old or so.
If some one has come across such situation pls let me know how i can proced?