Bugzilla .htaccess scripts could allow an attacker to obtain database password

bugzilla-htaccess-database-password (10970) The risk level is classified as MediumMedium Risk

Description:

Bugzilla could allow a remote attacker to obtain sensitive information. The default .htaccess scripts fail to properly prevent access to backups of the localconfig file created by a text editor. A remote attacker could exploit this vulnerability by downloading a backup copy of the localconfig file to obtain a user's database password.


Consequences:

Obtain Information

Remedy:

Upgrade to the latest version of Bugzilla (2.17.3 or later), as listed in Bugzilla Security Advisory January 2nd, 2002. See References.

For Debian GNU/Linux:
Upgrade to the latest bugzilla package as listed below. Refer to DSA-230-1 for more information. See References.

Debian GNU/Linux 3.0 (woody): 2.14.2-0woody4 or later

For other distributions:
Contact your vendor for upgrade or patch information.

References:

  • Bugzilla Bug 186383 : Checksetup leaves editor backups of localconfig accessible.
  • Bugzilla Security Advisory, January 2nd, 2003 : remote database password disclosure .
  • BID-6501: Bugzilla LocalConfig Backup File Disclosure Vulnerability
  • CVE-2003-0013: The default .htaccess scripts for Bugzilla 2.14.x before 2.14.5, 2.16.x before 2.16.2, and 2.17.x before 2.17.3 do not include filenames for backup copies of the localconfig file that are made from editors such as vi and Emacs, which could allow remote attackers to obtain a database password by directly accessing the backup file.
  • DSA-230: bugzilla -- insecure permissions
  • OSVDB ID: 6351: Bugzilla .htaccess Backup File Protection Failure

Platforms Affected:

  • Debian Debian Linux 3.0
  • Mozilla Bugzilla 2.14
  • Mozilla Bugzilla 2.14.1
  • Mozilla Bugzilla 2.14.2
  • Mozilla Bugzilla 2.14.3
  • Mozilla Bugzilla 2.14.4
  • Mozilla Bugzilla 2.16
  • Mozilla Bugzilla 2.16.1
  • Mozilla Bugzilla 2.17
  • Mozilla Bugzilla 2.17.1

Reported:

Jan 02, 2003

The information within this database may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. In no event shall the author/distributor (IBM Internet Security Systems X-Force) be held liable for any damages whatsoever arising out of or in connection with the use or spread of this information.

For corrections or additions please email ignore thisxforceignore this@ignore thisus.ignore thisibm.comignore this

Return to the main page