Visit our newest sister site!
Hundreds of free aircraft flight manuals
Civilian • Historical • Military • Declassified • FREE!


TUCoPS :: Linux :: Apps A-M :: lnx5901.htm

Bugzilla remote database password disclosure



3rd Jan 2003 [SBWID-5901]
COMMAND

	Bugzilla remote database password disclosure

SYSTEMS AFFECTED

	 Vulnerabilities affect all previous 2.14 and 2.16 releases.
	 Development snapshots prior to version 2.17.3 are also affected.

PROBLEM

	In  Dave  Miller  Project   Leader,   Bugzilla   Bug   Tracking   System
	[http://www.justdave.net/] [http://www.bugzilla.org/] advisory :
	
	This advisory covers two security bugs:  one  involves  incorrect  local
	permissions on a directory,  allowing  local  users  access.  The  other
	involves protecting configuration information leaks due to backup  files
	created by editors.
	
	The following security issues were fixed in 2.14.5, 2.16.2, and 2.17.3:
	
	- The provided data collection script intended to be run  as  a  nightly
	cron
	  job changes the permissions of the data/mining directory to be world-
	  writable every time it runs. This would enable local users to alter or
	  delete the collected data.  (Bugzilla bug 183188 / Bugtraq ID 6502).
	
	- The default .htaccess scripts provided by checksetup.pl do not block
	  access to backups of the localconfig file that might be created by
	  editors such as vi or emacs (typically these will have a .swp or ~
	  suffix).  This allows an end user to download one of the backup copies
	  and potentially obtain your database password.  If you already have such
	  an editor backup in your bugzilla directory it would be advisable to
	  change your database password in addition to upgrading.
	
	  In addition, we also continue to recommend hardening access to the
	  Bugzilla database user account by limiting access to the account to
	  the machine Bugzilla is served from (typically localhost); consult the
	  MySQL documentation for more information on how to accomplish this.
	  (Bugzilla bug 186383 / Bugtraq ID 6501)
	
	Also included in these releases are the  patches  that  were  posted  as
	part of our earlier security advisory on November 26th, 2002.  (Bugzilla
	bug       179329,       Bugtraq       ID        6257        -        see
	http://online.securityfocus.com/archive/1/301316 )
	
	Complete bug reports  for  the  security  bugs  covered  herein  may  be
	obtained at:
	
	   http://bugzilla.mozilla.org/show_bug.cgi?id=183188
	   http://bugzilla.mozilla.org/show_bug.cgi?id=186383
	

SOLUTION

	The fixes for both security bugs contained in this release, as  well  as
	the previously announced security  bug  involving  cross-site  scripting
	vulnerabilities  are  contained  in  the  2.14.5,  2.16.2,  and   2.17.3
	releases.  Upgrading  to  these  releases  will  protect   installations
	against exploitations of these security bugs.
	
	Individual patches to upgrade Bugzilla are available at:
	
	  http://ftp.mozilla.org/pub/webtools/
	  (these patches are only valid for 2.14.4 and 2.16.1 users).
	
	Full release downloads and CVS upgrade instructions are available at:
	
	  http://www.bugzilla.org/download.html
	


TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2014 AOH