Nmap Security Scanner
*Intro
*Ref Guide
*Install Guide
*Download
*Changelog
*Book
*Docs
Security Lists
*Nmap Hackers
*Nmap Dev
*Bugtraq
*Full Disclosure
*Pen Test
*Basics
*More
Security Tools
*Pass crackers
*Sniffers
*Vuln Scanners
*Web scanners
*Wireless
*Exploitation
*Packet crafters
*More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:
edgeos network security services platform







Bugtraq: [BUGZILLA] Security Advisory - information leak

[BUGZILLA] Security Advisory - information leak

From: David Miller <justdave_at_bugzilla.org>
Date: Mon, 10 Nov 2003 01:04:38 -0500

Bugzilla Security Advisory

November 9, 2003

Summary
=======

Bugzilla is a Web-based bug-tracking system, currently used by a large
number of software projects.

This advisory covers a security bug which was accidently introduced in
development version 2.17.5 and subsequently fixed in the Bugzilla code
involving unprivileged access to restricted data.

All Bugzilla installations who have upgraded to the 2.17.5 development
snapshot are encouraged to obtain version 2.17.6 or apply the relevant
patch.

The current stable version of Bugzilla is 2.16.4, and is not affected
by this advisory.

Vulnerability Details
=====================

Class: Information leak
Versions: 2.17.5 is the only version affected.
Description: A new feature was introduced in version 2.17.5 which allows
             remote websites to build tooltips and other dynamically
             generated data using current bug information retrieved from
             Bugzilla. A security lapse in the initial implementation
             of this feature allows the remote site to obtain that
             information from Bugzilla using the privileges of the
             client user.
Reference: http://bugzilla.mozilla.org/show_bug.cgi?id=195530

Vulnerability Solutions
=======================

The fix for the security bug mentioned in this advisory is included in
the 2.17.6 release. Upgrading to this release will protect
installations from this issue. As stated above, this only affects
Bugzilla 2.17.5, and does not affect the stable version 2.16.4.

Full release downloads of Bugzilla 2.17.6 and CVS upgrade instructions
can be found at:
  http://www.bugzilla.org/download.html

A specific patch for this issue can be found on the corresponding bug
report, at the URL given in the reference for the issue in the
Vulnerability Details section above.

Credits
=======

The Bugzilla team wish to thank Gervase Markham for discovering and
fixing this promptly after he introduced it.

General information about the Bugzilla bug-tracking system can be found
at http://www.bugzilla.org/

Comments and follow-ups can be directed to the
netscape.public.mozilla.webtools newsgroup or the mozilla-webtools
mailing list; http://www.bugzilla.org/discussion.html has directions for
accessing these forums.

-30- 

-- 
Dave Miller      Project Leader, Bugzilla Bug Tracking System
http://www.justdave.net/             http://www.bugzilla.org/
Received on Nov 10 2003
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]