Bugzilla 'localconfig' Information Disclosure Vulnerability Network Vulnerability

Summary

This host is running Bugzilla and is prone to information disclosure vulnerability.

Impact

Successful exploitation will allow attackers to read sensitive configuration fields. Impact Level: Application

Solution

Upgrade to Bugzilla version 3.6.1, 3.7.1 or later, For updates refer to http://www.bugzilla.org/download/

Insight

The flaw is due to an error in 'install/Filesystem.pm', which uses world readable permissions for the localconfig files via the database password field and the site_wide_secret field.

Affected

Bugzilla version 3.5.1 to 3.6 and 3.7

References

http://secunia.com/advisories/40300
http://www.bugzilla.org/security/3.2.6/
http://www.vupen.com/english/advisories/2010/1595
https://bugzilla.mozilla.org/show_bug.cgi?id=561797

Updated on 2015-03-25

Severity

Classification

CVE CVE-2010-0180

CVSS	Base Score: 1.9 AV:L/AC:M/Au:N/C:P/I:N/A:N

Related Vulnerabilities

Mantis 'manage_proj_cat_add.php' HTML Injection Vulnerability
MoinMoin 'Despam' Action Cross-Site Scripting Vulnerability
MediaWiki 'profileinfo.php' Cross Site Scripting Vulnerability
LDAP Account Manager 'selfserviceSaveOk' Parameter Cross Site Scripting Vulnerability
Serendipity 'serendipity_admin.php' Cross Site Scripting Vulnerability

Take action and discover your vulnerabilities