what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

Bugzilla Advisory 2.16.5

Bugzilla Advisory 2.16.5
Posted Jul 14, 2004
Authored by The Bugzilla Project | Site bugzilla.org

Bugzilla Advisory: Multiple security issues in Bugzilla have been discovered. These include information gathering issues (for example, database passwords may be revealed in webserver error messages), Cross Site Scripting issues, and design flaws which may make "confidential" data "protected" by Bugzilla available to all users.

tags | advisory, xss
SHA-256 | c3e1dd3ee84db1b712d6183a8cb294ebae02d3b9ad75ec77b82cb213a5e1aff7

Bugzilla Advisory 2.16.5

Change Mirror Download
2.16.5, 2.17.7 Security Advisory
July 10, 2004


Bugzilla is a Web-based bug-tracking system, used by a large number of
software projects.

This advisory covers security bugs that have recently been discovered
and fixed in the Bugzilla code: In the stable 2.16 releases, one instance
of arbitrary SQL injection exploitable only by a privileged user, several
instances of insufficient data validation and/or escaping, and two
instances of unprivileged access to names of restricted products. We know
of no occasion where any of these vulnerabilities have been exploited.

All Bugzilla installations are advised to upgrade to the latest stable
version of Bugzilla, 2.16.6, which was released today.

Development snapshots prior to version 2.18rc1 are also affected, so if
you are using a development snapshot, you should obtain a newer one
(2.18rc1) or use CVS to update.

Vulnerability Details

Issue 1
Class: Database Password Compromise
Versions: 2.17.1 through 2.17.7 (2.16-based releases are not affected)
Description: If the SQL server is halted but the webserver is left running,
older versions of DBI display an error message to the remote
user which contains the database password. While a properly-
configured database would still only be accessible by a local
user using that password, all installations are advised to
change the password after upgrading.
Reference: http://bugzilla.mozilla.org/show_bug.cgi?id=227191

Issue 2
Class: Privilege escalation
Versions: 2.17.1 through 2.17.7 (2.16-based releases are not affected)
Description: A user with privileges to grant membership to one or more
individual groups (i.e. usually an administrator) can
trick the administrative controls into granting membership
in groups other than the ones he has privileges for.
Reference: http://bugzilla.mozilla.org/show_bug.cgi?id=233486

Issue 3
Class: Information Leak
Versions: All versions prior to 2.16.6 and 2.18rc1
Description: If Bugzilla is configured to hide entire products from some
users, both duplicates.cgi and the form for mass-editing a
list of bugs in buglist.cgi can disclose the names of those
hidden products to such users.
References: http://bugzilla.mozilla.org/show_bug.cgi?id=234825

Issue 4
Class: Cross-site scripting vulnerability
Versions: All versions prior to 2.16.6 and 2.18rc1
Description: Several administration CGIs echo invalid data back to the
user without escaping it.
Reference: http://bugzilla.mozilla.org/show_bug.cgi?id=235265

Issue 5
Class: User Password embedded in URL
Versions: 2.17.5 through 2.17.7 (2.16-based releases are not affected)
Description: The user's password can be embedded as part of an image URL,
and thus visible in the web server logs, if the user is
prompted to log in while attempting to view a chart.
Reference: http://bugzilla.mozilla.org/show_bug.cgi?id=235510

Issue 6
Class: Remote SQL injection vulnerability
Versions: All versions prior to 2.16.6 and 2.18rc1
Description: A user with privileges to grant membership to any group
(i.e. usually an administrator) can trick editusers.cgi
into executing arbitrary SQL.
Reference: http://bugzilla.mozilla.org/show_bug.cgi?id=244272

Vulnerability Solutions

The fixes for all of the security bugs mentioned in this advisory
are included in the 2.16.6 and 2.18rc1 releases. Upgrading to these
releases will protect installations from possible exploits of these

Full release downloads, patches to upgrade Bugzilla to 2.16.6 from
previous 2.16.x versions, and CVS upgrade instructions are available at:

Specific patches for each of the individual issues can be found on the
corresponding bug reports for each issue, at the URL given in the
reference for that issue in the list above.


The Bugzilla team wish to thank the following people for their
assistance in locating, advising us of, and assisting us to fix
these situations:

Vlad Dascalu
Laran Evans
Jouni Heikniemi
Felix Hieronymi
Byron Jones
Gervase Markham
Dave Miller
Gabriel Millerd
Joel Peshkin
Christian Reis

General information about the Bugzilla bug-tracking system can be found
at http://www.bugzilla.org/

Comments and follow-ups can be directed to the
netscape.public.mozilla.webtools newsgroup or the mozilla-webtools
mailing list; http://www.bugzilla.org/discussion.html has directions for
accessing these forums.

Login or Register to add favorites

File Archive:

September 2023

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Sep 1st
    2 Files
  • 2
    Sep 2nd
    21 Files
  • 3
    Sep 3rd
    0 Files
  • 4
    Sep 4th
    17 Files
  • 5
    Sep 5th
    34 Files
  • 6
    Sep 6th
    29 Files
  • 7
    Sep 7th
    11 Files
  • 8
    Sep 8th
    25 Files
  • 9
    Sep 9th
    0 Files
  • 10
    Sep 10th
    0 Files
  • 11
    Sep 11th
    26 Files
  • 12
    Sep 12th
    23 Files
  • 13
    Sep 13th
    17 Files
  • 14
    Sep 14th
    22 Files
  • 15
    Sep 15th
    16 Files
  • 16
    Sep 16th
    0 Files
  • 17
    Sep 17th
    0 Files
  • 18
    Sep 18th
    19 Files
  • 19
    Sep 19th
    60 Files
  • 20
    Sep 20th
    23 Files
  • 21
    Sep 21st
    15 Files
  • 22
    Sep 22nd
    0 Files
  • 23
    Sep 23rd
    0 Files
  • 24
    Sep 24th
    0 Files
  • 25
    Sep 25th
    0 Files
  • 26
    Sep 26th
    0 Files
  • 27
    Sep 27th
    0 Files
  • 28
    Sep 28th
    0 Files
  • 29
    Sep 29th
    0 Files
  • 30
    Sep 30th
    0 Files

Top Authors In Last 30 Days

File Tags


packet storm

© 2022 Packet Storm. All rights reserved.

Security Services
Hosting By