Multiple Vulnerabilities in Mozilla Bugzilla

Reported August 29, 2001, by David Miller.


  • All versions of Mozilla Bugzilla prior to version 2.14


Multiple vulnerabilities exist in the Bugzilla Web-based bug-tracking system available from, some of which include:


  • Multiple instances of unauthorized access to confidential bugs that have been fixed.

  • Multiple instances of untrusted parameters not being checked or escaped were fixed.

  • After logging on, passwords no longer appear in the URL.

  • Procedures that prevent unauthorized access to confidential files are now simpler.  In particular, the shadow directory no longer exists, and the data/comments file no longer needs to be directly accessible, so an attacker can block the entire data directory. However, because no new files must be protected, users don't need to make any changes if they have a properly secured 2.12 installation.

  • If the files don't exist already, will attempt to write Apache .htaccess files by default to prevent unauthorized access to confidential files.  You can turn this feature off in the localconfig file.

  • The software no longer stores the password in plaintext form. The program eradicates the password the next time you run Users must now change their password by using a password change request that their email accounts validate rather than by getting the password in the mail.


The vendor,, has released version 2.14 that fixes these vulnerabilities.


Discovered by David Miller.

Hide comments


  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.