AOH :: Web :: Wiki, Collaborationware

AOH :: Web :: Wiki, Collaborationware :: WEB5723.HTM
Bugzilla remote command injection

2nd Oct 2002 [SBWID-5723]

COMMAND

	Bugzilla remote command injection

SYSTEMS AFFECTED

	All 2.14 and 2.16 releases up to 2.14.4 / 2.16.1

PROBLEM

	In Bugzilla security advisory by Dave Miller :
	

	--snipp--
	

	- Permissions leak when using "usebuggroups" and more  than  47  groups;
	permissions are granted to users in higher groups  when  they  shouldn't
	be.  (bug  167485;  comment   12   has   additional   detection/recovery
	information)
	

	http://bugzilla.mozilla.org/show_bug.cgi?id=167485#c12

	

	-  bugzilla_email_append.pl  calls   processmail   insecurely;   command
	injection possible. (bug 163024)
	

	The following additional security issue was fixed in 2.16.1:
	

	- Apostrophes are not properly  handled  during  account  creation;  SQL
	injection possible. (bug 165221)
	

	--snipp--

SOLUTION

	See Bugzilla branch 2.14.4 / 2.16.1

The entire AOH site is optimized to look best in Firefox® 3 on a widescreen monitor (1440x900 or better). Site design & layout copyright © 1986-2009 AOH
We do not send spam. If you have received spam bearing an artofhacking.com email address, please forward it with full headers to abuse@artofhacking.com.