Users login

Create an account »

JOIN XATRIX

Users login

Home » Hacking News » BugZilla Vulnerabilities

BugZilla Vulnerabilities

by Phiber on September 1st, 2001 Three vulnerabilities have been discovered. A process_bug.CGI restricted bug comments revealing vulnerability, a show_activity.CGI restricted bug comments revealing vulnerability and a showattachment.cgi arbitrary bug viewing vulnerability.


The first one:
A problem in Bugzilla has been discovered that allows remote users to gain access to restricted bug information. Upon viewing a restricted bug, the user may save the show_bug.cgi page, and monitor the hidden form fields.
- Loading modified page, and clicking commit, yields the comments.


The second one:

It is possible for a remote user to gain access to sensitive bug information through the show_activity.cgi interface. Upon finding a bug that is displayed as restricted through the show_bug.cgi interface, the user may request the bug id through the show_activity.cgi script, which will render the full comments of the bug.


The third one:

An input validation problem exists with Bugzilla. A user of Bugzilla 2.12 may submit an arbitrary bug ID number as an argument to 'showattachment.cgi', potentially disclosing information about "restricted" bugs.

- This may be a threat if Bugzilla is being used during the development of proprietary sourcecode.


Solution:


FYI:

Bugzilla is a free, open source bug tracking and reporting appplication. It allows users to submit bugs, offers a forum for discussing bugs, keeps track of the status of bugs, and can restrict who has access to bug information.


Newsletter signup

Signup to our monthly newsletter and stay in touch with IT news!

Free E-books

We've got ebooks! But they're not online. :( Please give us a few days to bring downloads back.

Contact

Have something to say or just wanna drop us a line? Please keep this in mind: to spam, we reply with spam.

Contact us »