Reported August 29, 2001, by David Miller.
VERSIONS AFFECTED
-
All versions of Mozilla Bugzilla prior to version 2.14
DESCRIPTION
Multiple
vulnerabilities exist in the Bugzilla Web-based bug-tracking system available
from Mozilla.org, some of which include:
-
Multiple instances of unauthorized access to confidential bugs that have been fixed.
-
Multiple instances of untrusted parameters not being checked or escaped were fixed.
-
After logging on, passwords no longer appear in the URL.
-
Procedures that prevent unauthorized access to confidential files are now simpler. In particular, the shadow directory no longer exists, and the data/comments file no longer needs to be directly accessible, so an attacker can block the entire data directory. However, because no new files must be protected, users don't need to make any changes if they have a properly secured 2.12 installation.
-
If the files don't exist already, checksetup.pl will attempt to write Apache .htaccess files by default to prevent unauthorized access to confidential files. You can turn this feature off in the localconfig file.
-
The software no longer stores the password in plaintext form. The program eradicates the password the next time you run checksetup.pl. Users must now change their password by using a password change request that their email accounts validate rather than by getting the password in the mail.
VENDOR RESPONSE
The vendor, Mozilla.org, has released version 2.14 that fixes these vulnerabilities.
CREDIT
Discovered by David
Miller.
