my $otheruser = Bugzilla::User->create({
login_name => $login_name,
- realname => $cgi->param('realname'),
+ realname => scalar $cgi->param('realname'),
cryptpassword => $password});
cgi->param() is vulnerable because it is context-sensitive, meaning it can return a scalar or a list. In the case of this vulnerability, if the ‘realname’ parameter contains multiple values (eg, realname=value1&realname=value2), cgi->param() returns a list. Furthermore, if one of the values is a previously assigned key within the hash, such as login_name, it will be overwritten with the next value in the list, opening the door for potential exploitation. The fix for this was to force a scalar value to be returned.
When finalizing the creation of a user account, Bugzilla utilizes the login_name variable to automatically add the user to an existing group. What group the user joins depends on the group’s regex settings. The following shows precisely how an attacker can exploit this vulnerability:
A group, named Local Guys, has been set up for email addresses matching @example.com.
This group is the only one with ‘view access’ for any bugs within TestProduct:









Scott Lang, Sr. Director, Product Marketing at BeyondTrust
Scott Lang has nearly 20 years of experience in technology product marketing, currently guiding the product marketing strategy for BeyondTrust’s privileged account management solutions and vulnerability management solutions. Prior to joining BeyondTrust, Scott was director of security solution marketing at Dell, formerly Quest Software, where he was responsible for global security campaigns, product marketing for identity and access management and Windows server management.