|
|
|
|
| |
"Bugzilla is a "Defect Tracking System" or "Bug-Tracking System". Defect Tracking Systems allow individual or groups of developers to keep track of outstanding bugs in their product effectively."
Bugzilla does not validate properly settings before allowing unprivileged users to obtain restricted data that only authenticated users can see and expose users status on the system when configured not to. |
| |
Credit:
The information has been provided by mkanat.
The bug reports can be found at: https://bugzilla.mozilla.org/show_bug.cgi?id=308256,
https://bugzilla.mozilla.org/show_bug.cgi?id=308662
|
| |
Vulnerable Systems:
* Bugzilla version 2.18.3
* Bugsilla version 2.20rc2
* Bugzilla version 2.21
Immune Systems:
* Bugzilla version 2.16
* Bugzilla version 2.20
Information Leak 1:
config.cgi gives JavaScript and RDF information about Bugzilla to third-party clients, including a list of products in the Bugzilla installation. The "requirelogin" parameter requires that all people be logged into Bugzilla before seeing any data, as a security measure.
In affected versions, config.cgi is always accessible, and always contains information to non-logged-in users, even when "requirelogin" is turned on, possibly exposing product names that administrators expected to be confidential.
Information Leak 2:
Bugzilla contains features to prevent users from "seeing" other users, enabled by the "usevisibilitygroups" parameter. Bugzilla also contains a feature called "user matching," which enables users to type in part of a username and get back a list of possible matches.
If user matching is turned on and is in "substring" mode, all matching users will be returned to a query, regardless of the visibility groups settings, exposing users who should be invisible.
Vendor Status:
The vendor has wrote the following: "The fixes for all of the security bugs mentioned in this advisory are included in the 2.18.4, 2.20, and 2.21.1 releases. Upgrading to these releases will protect installations from possible exploits of these issues.
Full release downloads, patches to upgrade Bugzilla from previous versions, and CVS upgrade instructions are available at: http://www.bugzilla.org/download/
Specific patches for each of the individual issues can be found on the corresponding bug reports for each issue, at the URL given in the reference for that issue in the list above."
|
|
|
|
|
